FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains how to configure a web-auth-cookie feature to reduce authentication requests.
Solution With FSSO / NTLM, more authentication requests are generated from the FortiGate unit.
In a large environment, where a lot of authentication requests might be generated, it is a good practice to enable the parameter 'web-auth-cookie' in your authentication rule.
# config authentication rule edit NTLM_rule set srcaddr "all" set ip-based disable --> to use only session based authentication, default=enabled set active-auth-method "auth-scheme" set web-auth-cookie enable --> available without ip-based authentication, default = disabled next end
This helps to reduce the number of authentication requests to the authentication server when session-based authentication is applied using the explicit web proxy.
The 'web-auth-cookie' setting is only available when session based authentication is enabled, by setting 'ip-based' authentication as 'disabled'.
When the 'web-auth-cookie' setting is enabled only one request per session is authenticated and it will reduce authentication requests for such existing sessions, making NTLM authentication more scalable.
