Proxy Auth Setting
This submenu provides settings for configuring authentication timeout, protocol support, authentication certificates, authentication schemes, and captive portals. When user authentication is enabled within a security policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol):
-
HTTP (can also be set to redirect to HTTPS)
-
HTTPS
-
FTP
-
Telnet
The selections control which protocols support the authentication challenge. Users must connect with a supported protocol first so that they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, the user can authenticate with a customized local certificate.
When you enable user authentication within a security policy, the security policy user is challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the unit, and the users can also have customized certificates installed on their browsers. Otherwise, users see a warning message and have to accept a default Fortinet certificate.
To configure proxy authentication settings, go to Policy & Objects > Proxy Auth Settings.
Configure the following settings and then select Apply to save your changes:
Authentication Timeout |
Enter the amount of time, in minutes, that an authenticated firewall connection can be idle before the user must authenticate again. From 1 to 480 minutes. The default is 5. |
Protocol Support |
Select the protocols to challenge during firewall user authentication from the following:
|
Certificate |
If you want to use a local certificate for authentication, enable Certificate and then select the certificate. The default is Fortinet_Factory. |
Active Auth Scheme |
If you want to use an active authentication scheme, enable Active Auth Scheme and then select which scheme to use. To create an authentication scheme, see Create or edit an authentication scheme. |
SSO Auth Scheme |
If you want to use a single-sign-on authentication scheme, enable SSO Auth Scheme and then select which scheme to use. |
Captive Portal |
If you want use a captive portal to authenticate web users, enable Captive Portal and then select a captive portal. Enter the captive port number and select the portal type. If you select IP as the captive portal type, enter the captive portal IP address. |
Redirecting HTTP user authentication to HTTPS |
Enable Redirecting HTTP user authentication to HTTPS if you want HTTPS user authentication used instead of HTTP user authentication and then enter the captive portal SSL port number. |
API Preview |
The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions. |
Edit in CLI |
Click to open a CLI console window to view and edit the setting in the CLI. If there are multiple CLI settings on the page, the CLI console shows the first setting. |
To use the API Preview:
- Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
- Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
- Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
- Click Close to leave the preview.
To configure the authentication settings in the CLI:
config authentication setting
set active-auth-scheme <string>
set sso-auth-scheme <string>
set captive-portal <string>
set captive-portal-port <integer value from 1 to 65535; default is 0>
set auth-https {enable | disable}
set captive-portal-ssl-port <integer value from 1 to 65535; default is 7831>
end
-
active-auth-scheme
—Active authentication method. -
sso-auth-scheme
—SSO authentication method. -
captive-portal
—Captive portal host name. -
captive-portal-port
—Captive portal port number. -
auth-https
—Enable or disable redirecting HTTP user authentication to HTTPS. -
captive-portal-ssl-port
—Captive portal SSL port number.