Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

authentication rule

Configure authentication rules based on protocol, address, and other parameters.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set protocol {ssh | ...}

New SSH authentication protocol.

When user/user-group is set in an SSH proxy policy, firewall authentication can be carried out for SSH proxy traffic.

config authentication rule
    edit {name}
    # Configure Authentication Rules.
        set name {string}   Authentication rule name. size[35]
        set status {enable | disable}   Enable/disable this authentication rule.
        set protocol {http | ftp | socks | ssh}   Select the protocol to use for authentication (default = http). Users connect to the FortiGate using this protocol and are asked to authenticate.
                http   Use HTTP for authentication.
                ftp    Use FTP for authentication.
                socks  Use SOCKS for authentication.
                ssh    Use SSH for authentication.
        config srcaddr
            edit {name}
            # Select an IPv4 source address from available options. Required for web proxy authentication.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name
            next
        config srcaddr6
            edit {name}
            # Select an IPv6 source address. Required for web proxy authentication.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ip-based {enable | disable}   Enable/disable IP-based authentication. Once a user authenticates all traffic from the IP address the user authenticated from is allowed.
        set active-auth-method {string}   Select an active authentication method. size[35] - datasource(s): authentication.scheme.name
        set sso-auth-method {string}   Select a single-sign on (SSO) authentication method. size[35] - datasource(s): authentication.scheme.name
        set web-auth-cookie {enable | disable}   Enable/disable Web authentication cookies (default = disable).
        set transaction-based {enable | disable}   Enable/disable transaction based authentication (default = disable).
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.

active-auth-method <name>

Set the active authentication method using the scheme name, as created in config authentication scheme.

ip-based {enable | disable}

Enable (by default) or disable IP-based authentication.

protocol {https | ftp | socks | ssh}

Matching protocol for authentication. The default is http.

srcaddr <addr>

Source address or address group name. This option (or srcaddr6) must be set.

srcaddr6 <addr>

Source IPv6 address or address group name, available for web proxy only. This option (or srcaddr) must be set.

sso-auth-method <name>

Set the Single-Sign-On (SSO) authentication method using the scheme name, as created in config authentication scheme.

status {enable | disable}

Enable (by default) or disable the authentication rule status.

transaction-based {enable | disable}

Enable or disable (by default) transaction-based authentication.

web-auth-cookie {enable | disable}

Enable or disable (by default) the web authentication cookie.

authentication rule

Configure authentication rules based on protocol, address, and other parameters.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set protocol {ssh | ...}

New SSH authentication protocol.

When user/user-group is set in an SSH proxy policy, firewall authentication can be carried out for SSH proxy traffic.

config authentication rule
    edit {name}
    # Configure Authentication Rules.
        set name {string}   Authentication rule name. size[35]
        set status {enable | disable}   Enable/disable this authentication rule.
        set protocol {http | ftp | socks | ssh}   Select the protocol to use for authentication (default = http). Users connect to the FortiGate using this protocol and are asked to authenticate.
                http   Use HTTP for authentication.
                ftp    Use FTP for authentication.
                socks  Use SOCKS for authentication.
                ssh    Use SSH for authentication.
        config srcaddr
            edit {name}
            # Select an IPv4 source address from available options. Required for web proxy authentication.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.proxy-address.name,firewall.proxy-addrgrp.name
            next
        config srcaddr6
            edit {name}
            # Select an IPv6 source address. Required for web proxy authentication.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        set ip-based {enable | disable}   Enable/disable IP-based authentication. Once a user authenticates all traffic from the IP address the user authenticated from is allowed.
        set active-auth-method {string}   Select an active authentication method. size[35] - datasource(s): authentication.scheme.name
        set sso-auth-method {string}   Select a single-sign on (SSO) authentication method. size[35] - datasource(s): authentication.scheme.name
        set web-auth-cookie {enable | disable}   Enable/disable Web authentication cookies (default = disable).
        set transaction-based {enable | disable}   Enable/disable transaction based authentication (default = disable).
        set comments {string}   Comment. size[1023]
    next
end

Additional information

The following section is for those options that require additional explanation.

active-auth-method <name>

Set the active authentication method using the scheme name, as created in config authentication scheme.

ip-based {enable | disable}

Enable (by default) or disable IP-based authentication.

protocol {https | ftp | socks | ssh}

Matching protocol for authentication. The default is http.

srcaddr <addr>

Source address or address group name. This option (or srcaddr6) must be set.

srcaddr6 <addr>

Source IPv6 address or address group name, available for web proxy only. This option (or srcaddr) must be set.

sso-auth-method <name>

Set the Single-Sign-On (SSO) authentication method using the scheme name, as created in config authentication scheme.

status {enable | disable}

Enable (by default) or disable the authentication rule status.

transaction-based {enable | disable}

Enable or disable (by default) transaction-based authentication.

web-auth-cookie {enable | disable}

Enable or disable (by default) the web authentication cookie.