Chapter 3 Authentication for FortiOS 5.0 : Configuring authenticated access : Authentication in security policies
  
Authentication in security policies
Security policies control traffic between FortiGate interfaces, both physical interfaces and VLAN subinterfaces. Without authentication, a security policy enables access from one network to another for all users on the source network. Authentication enables you to allow access only for users who are members of selected user groups. To include authentication in a security policy, you must create an identity-based policy.
 
You can configure user authentication for security policies only when Action is set to Accept. If the policy is set to Deny, IPsec, or SSL VPN the options will be different.
The style of the authentication method varies by the authentication protocol. If you have selected HTTP, FTP or Telnet, a username and password-based authentication occurs. The FortiGate unit prompts network users to input their security username and password. If you have selected HTTPS, certificate-based authentication (HTTPS or HTTP redirected to HTTPS only) occurs. You must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches.
This section includes:
Enabling authentication protocols
Authentication replacement messages
Access to the Internet
Configuring authentication security policies
Identity-based policy
NTLM authentication
Certificate authentication
Restricting number of concurrent user logons