Creating security policies
Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services
In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate
For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.
To configure an FSSO authentication security policy - web-based manager
1. Go to Policy & Objects > Policy > IP4 and select Create New.
2. Enter the following information.
Incoming Interface | port1 |
Source Address | company_network |
Source User(s) | fsso_group |
Outgoing Interface | port2 |
Destination Address | all |
Schedule | always |
Service | HTTP, HTTPS, FTP, and Telnet |
Action | ACCEPT |
NAT | OFF |
UTM Security Profiles | ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default profiles. |
Log Allowed Traffic | ON. Select Security Events. |
3. Select OK.
A new line of information will appear in the identity-based policy table, listing the user groups, services, schedule, UTM, and logging selected for the rule.
4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.
5. Select OK.
To create a security policy for FSSO authentication - CLI
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr company_network
set dstaddr all
set action accept
set groups company_network SSO_Guest_Users
set schedule any
set service HTTP HTTPS FTP TELNET
set nat enable
end
Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.