Chapter 3 Authentication for FortiOS 5.0 : Single Sign-On to Windows AD : Configuring Single Sign On to Windows AD : Creating security policies
  
Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Enter the following information.
Policy Type
Firewall
Policy subtype
User Identity
Incoming Interface
port1
Source Address
company_network
Outgoing Interface
port2
Enable NAT
Select
3. In Configure Authentication Rules, select Create New.
4. Enter
Destination Address
all
Groups
Select from the FSSO user groups that you created earlier.
FSSO_Guest_users is a default user group enabled when FSSO is configured. It allows guest users on the network who do not have an FSSO account to still authenticate and have access to network resources. See “Enabling guest access through FSSO security policies”.
Schedule
always
Service
HTTP, HTTPS, FTP, and Telnet
Action
ACCEPT
Log Allowed Traffic
Select. Logging FSSO logon events helps troubleshoot any FSSO related issues.
UTM Security Profiles
Enable AntiVirus, IPS, Web Filter, and Email Filter default profiles.
5. Select OK.
A new line of information will appear in the identity-based policy table, listing the user groups, services, schedule, UTM, and logging selected for the rule.
6. Select OK.
7. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
To create a security policy for FSSO authentication - CLI
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr company_network
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule any
set groups company_network FSSO_guest_users
set service HTTP HTTPS FTP TELNET
end
end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.