Creating security policies
Two security policies are needed: one for firewall group who connect through port3 and one for FSSO group who connect through port2.
To create a security policy for FSSO authentication - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Enter the following information:
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface | Port2 |
Source address | Windows_net |
Outgoing Interface | Port1 |
Enable NAT | Select |
3. In Configuration Authentication Rules, select Create New.
In the New Authentication Rule window, enter the following information, and then select OK:
Destination Address | all |
Group(s) | FSSO_Internet_users |
Schedule | always |
Service | ALL |
UTM Security Profiles | Optionally, enable UTM profiles. |
4 Select OK.
To create a security policy for FSSO authentication - CLI
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr Windows_net
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set groups FSSO_Internet_users
set service ANY
end
end
To create a security policy for local user authentication - web-based manager
1. Go to Policy > Policy and select Create New.
2. Enter the following information:
Policy Type | Firewall |
Policy Subtype | User Identity |
Incoming Interface | Port3 |
Source address | Internal_net |
Outgoing Interface | Port1 |
Enable NAT | Select |
3. In Configuration Authentication Rules, select Create New.
In the New Authentication Rule window, enter the following information, and then select OK:
Destination Address | all |
Group(s) | Internet_users |
Schedule | always |
Service | ALL |
UTM Security Profiles | Optionally, enable UTM profiles. |
4 Select OK.
To create a security policy for local user authentication - CLI
config firewall policy
edit 0
set srcintf port3
set dstintf port1
set srcaddr internal_net
set dstaddr all
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule always
set groups Internet_users
set service ANY
end
end