Description
Prior to v5.6, explicit proxy policy with authentication has been treated as Identity-based firewall policy, this is different compared to IPv4/IPv6 firewall policies with authentication. On FortiOS 5.6 onwards, Explicit proxy policy is implemented to be similar to IPv4/IPv6 firewall policies, where fall-through feature is implemented.
On firmware v5.4, v5.2 and v5.0, for explicit proxy policy, it is necessary to select the action to authenticate, configure the individual authentication rule and specify the authentication method, such as FSSO, NTLM, etc.
However on firmware 5.6.0 onwards, the authentication method can not be specified on explicit proxy policy, and manually added user group on the explicit proxy policy will not work.
Solution
This article focuses on FSSO authentication on explicit proxy policy. Other authentication methods would have to be configured in a similar manner. On firmware 5.6.0 onwards, authentication is being separated from authorization (explicit proxy firewall policy). Authentication for explicit proxy can only be configured via CLI on v5.6. The command is shown below:
config authentication scheme
edit "FSSO"
set method fsso
next
end
config authentication setting
set sso-auth-scheme "FSSO"
end
config authentication rule
edit "FSSO_Rule"
set srcaddr "all"
set sso-auth-method "FSSO"
next
end
The above configuration will specify to use FSSO as the authentication method for explicit proxy policy. Once the corresponding FSSO user group has been added into the explicit proxy policy, it will works as expected.
Connectivity can be verified as follows:
1000C # diagnose firewall auth list
10.125.0.82, ALLOW1
type: fsso, id: 0, duration: 5, idled: 5
server: FSSO
packets: in 0 out 0, bytes: in 0 out 0
group_id: 2
group_name: FSSO_Allow
----- 1 listed, 0 filtered ------
1000C # diagnose wad user list
ALLOW1 10.125.0.82 id:7 VD: root, duration: 5
auth_type=1 auth_method=5 pol_id=1 g_id=2 user_based=0 expire=-1
LAN:
bytes_in=15248 bytes_out=128139
WAN:
bytes_in=127419 bytes_out=11988
auth_method=5 indicates that authentication is based on FSSO.
It should be noted that both the firewall auth list and the wad user list must contain the logon information for the same user for it to work correctly.