Authentication Rules
Authentication rules are used to receive user identity, based on the values set for the protocol and source address. If a rule fails to match based on the source address, there will be no other attempt to match the rule; however, the next policy will be attempted. This occurs only when:
- There is an authentication rule, but no authentication method has been set (under
config authentication scheme
), so the user identity cannot be found. - The user is successfully matched in the rule but fails to match the current policy.
After a rule is positively matched through the protocol and/or source address, the authentication is checked (with active-auth-method
and sso-auth-method
). These methods point to schemes, as defined under config authentication scheme
.
When you combine authentication rules and schemes, you have granular control over users and IP addresses, creating an efficient process for users to successfully match a criteria before matching the policy.
To manage authentication rules, go to Policy & Objects > Authentication Rules.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
Create New | Create an authentication rule or authentication scheme. See Create or edit an authentication rule. |
Edit | Modify an authentication rule or authentication scheme. See Create or edit an authentication rule. |
Delete | Remove an authentication rule or rules. |
Search | Enter a search term to find in the list. |
Authentication Rules/Authentication Schemes | Select Authentication Rules to see a list of authentication rules. Select Authentication Schemes to see a list of authentication schemes. |
Name | The name of the authentication rule. |
Source Address | The source IPv4 addresses, address groups, all, or none. |
Source IPv6 Address | The source IPv6 addresses, address groups, all, or none. |
Protocol | The protocol that is matched for the rule. |
Authentication Scheme |
The authentication scheme that is being used. To create an authentication scheme, see Create or edit an authentication scheme. |
SSO Authentication Scheme | The single sign-on authentication method. |
Destination Address |
The destination IPv4 addresses, address groups, all, or none. |
Destination IPv6 Address |
The destination IPv6 addresses, address groups, all, or none. |
Comments | An optional description of the authentication rule. |
IP-based Authentication | Whether IP-based authentication is enabled or disabled. |
Status | Whether the rule is enabled or disabled. |
To manage authentication schemes, go to Policy & Objects > Authentication Rules and then click Authentication Schemes.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
Create New | Create an authentication scheme. See Create or edit an authentication scheme. |
Edit | Edit an authentication scheme. See Create or edit an authentication scheme |
Delete | Delete an authentication scheme or schemes. |
Search | Enter a search term to find in the list. |
Authentication Rules/Authentication Schemes | Select Authentication Rules to see a list of authentication rules. Select Authentication Schemes to see a list of authentication schemes. |
Name | The name of the authentication scheme. |
Method | The authentication method: NTLM, Basic, Digest, Form-based, Negotiate, SAML, SSH Public Key, or Fortinet Single Sign-On (FSSO). |
User database | The name of the user database to use. |
Negotiate NTLM | Whether NTLM negotiation is required. |
Kerberos Keytab | The file containing the shared secret for Kerberos authentication. |
Domain Controller | The domain controller. |
FSSO Agent | The FSSO agent. |
Two-factor Authentication | Whether two-factor authentication is required. |
FSSO guest | Whether FSSO-guest authentication is required. |
SSH Local CA | Which CA certificate is being used. |
Ref. |
Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object. |