Grouping authorization rules

Users : Offloading HTTP authentication & authorization : Applying user groups to an authorization realm : Grouping authorization rules

Grouping authorization rules

Often, you may want to specify multiple authorization realms to apply to a single server policy. Before you can use authorization rules in a protection profile, you must group them together. (These sets are called “authentication policies” in the web UI).

Authentication policies also contain settings such as connection and cache timeouts that FortiWeb applies to all requests authenticated using this authentication policy.


	Alternatively or in addition to HTTP authentication, with SSL connections, you can require that clients present a valid personal certificate. For details, see “Certificate Verification”.

To configure an authentication policy

1. Before you can configure an authentication policy, you must first configure:

• end-users (see “Configuring local end-user accounts”, “Configuring LDAP queries”, or “Configuring NTLM queries”)

• user groups (see “Grouping users”)

• one or more authorization rules to select the authorization mechanism, select the user group, and the set of URLs that is the authorization realm (see “Applying user groups to an authorization realm”)

2. Go to Application Delivery > Authentication Policy > Authentication Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions”.

3. Click Create New.

4. Configure these settings:


Setting name	Description
Name	Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Connection Timeout	Type the connection timeout for the query to the FortiWeb’s query to the remote authentication server in milliseconds. The default is 2,000 (2 seconds). If the authentication server does not answer queries quickly enough, to prevent dropped connections, increase this value.
Cache	Enable if you want to cache authentication query results. Tip: This can improve performance, especially if the connection to the remote authentication server is slow or experiences latency.
Alert Type	Select whether to log authentication failures and/or successes: • None — Do not generate an alert email and/or log message. • Failed Only — Alert email and/or log messages are caused only by HTTP authentication failures. • Successful Only — Alert email and/or log messages are caused only by successful HTTP authentication. • All — Alert email and/or log messages are caused for all HTTP authentication attempts, regardless of success or failure. Event log messages contain the user name, authentication type, success or failure, and source address (for example, User jdoe HTTP BASIC login successful from 172.20.120.46) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, User hackers HTTP BASIC login failed from 172.20.120.227).

5. If you enabled Cache, also configure the following:


Setting name	Description
Cache Timeout	Type the number of seconds that authentication query results will be cached. When a record’s timeout is reached, FortiWeb will remove it from the cache. Subsequent requests from the client will cause FortiWeb to query the authentication server again, adding the query results to the cache again. This setting is applicable only if Cache is enabled. The default value is 300.

6. Click OK.

7. Click Create New.

A dialog appears.

8. From the Auth Rule drop-down list, select the name of an authentication rule.

9. Click OK.

10. Repeat the previous steps for each individual rule that you want to add to the authentication policy.

11. To apply the authentication policy, select it in an inline protection profile that is included in a policy (see “Configuring a protection profile for inline topologies”).


	If you have enabled logging, you can also make reports such as “Top Failed Authentication Events By Day” and “Top Authentication Events By User” to identify hijacked accounts or slow brute force attacks. See “Reports”.

See also

• Applying user groups to an authorization realm

• Single sign-on (SSO) (site publishing)