authentication rule
Configure authentication rules based on protocol, address, and other parameters.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set protocol {ssh | ...} |
New SSH authentication protocol. When user/user-group is set in an SSH proxy policy, firewall authentication can be carried out for SSH proxy traffic. |
config authentication rule edit {name} # Configure Authentication Rules. set name {string} Authentication rule name. size[35] set status {enable | disable} Enable/disable this authentication rule. set protocol {http | ftp | socks | ssh} Select the protocol to use for authentication (default = http). Users connect to the FortiGate using this protocol and are asked to authenticate. http Use HTTP for authentication. ftp Use FTP for authentication. socks Use SOCKS for authentication. ssh Use SSH for authentication. config srcaddr edit {name} # Select an IPv4 source address from available options. Required for web proxy authentication. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name next config srcaddr6 edit {name} # Select an IPv6 source address. Required for web proxy authentication. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next set ip-based {enable | disable} Enable/disable IP-based authentication. Once a user authenticates all traffic from the IP address the user authenticated from is allowed. set active-auth-method {string} Select an active authentication method. size[35] - datasource(s): authentication.scheme.name set sso-auth-method {string} Select a single-sign on (SSO) authentication method. size[35] - datasource(s): authentication.scheme.name set web-auth-cookie {enable | disable} Enable/disable Web authentication cookies (default = disable). set transaction-based {enable | disable} Enable/disable transaction based authentication (default = disable). set comments {string} Comment. size[1023] next end
Additional information
The following section is for those options that require additional explanation.
active-auth-method <name>
Set the active authentication method using the scheme name, as created in config authentication scheme.
ip-based {enable | disable}
Enable (by default) or disable IP-based authentication.
protocol {https | ftp | socks | ssh}
Matching protocol for authentication. The default is http
.
srcaddr <addr>
Source address or address group name. This option (or srcaddr6) must be set.
srcaddr6 <addr>
Source IPv6 address or address group name, available for web proxy only. This option (or srcaddr) must be set.
sso-auth-method <name>
Set the Single-Sign-On (SSO) authentication method using the scheme name, as created in config authentication scheme.
status {enable | disable}
Enable (by default) or disable the authentication rule status.
transaction-based {enable | disable}
Enable or disable (by default) transaction-based authentication.
web-auth-cookie {enable | disable}
Enable or disable (by default) the web authentication cookie.