manualshive.com logo in svg

Fortinet FortiGate 60M, User Manual

The Fortinet FortiGate 60M is a powerful network security appliance designed for small businesses. To get started quickly, you can download the free Quick Start Manual from 88.208.23.73:8080. This comprehensive manual contains all the instructions and information you need to maximize the functionalities of this exceptional product.

Share
Download
background image

Table of Contents 

FortiGate User Authentication Version 1 Guide
01-28007-0233-20050825

3

Table of Contents

Introduction ........................................................................................  5

The user’s view of authentication ....................................................................  5

Web-based user authentication ....................................................................  5
VPN client-based authentication ...................................................................  6

The FortiGate administrator’s view of authentication....................................  6

Authentication servers...................................................................................  7
Users.............................................................................................................  7
User groups...................................................................................................  7
Authentication timeout...................................................................................  8
Firewall policies.............................................................................................  8
VPN tunnels ..................................................................................................  8

Authentication servers ......................................................................  9

RADIUS Servers.................................................................................................  9

Understanding your RADIUS server .............................................................  9
Configuring the FortiGate unit to use a RADIUS server................................  9

LDAP Servers...................................................................................................  10

Understanding your LDAP server ...............................................................  11
Configuring the FortiGate unit to use an LDAP server................................  12

Active Directory servers .................................................................................  13

Understanding your Active Directory server................................................  13
Configuring the FortiGate unit to use an Active Directory server ................  13

Users and user groups ....................................................................  15

Users.................................................................................................................  15

Defining local users.....................................................................................  15

User groups......................................................................................................  17

Protection profiles .......................................................................................  17
Defining user groups ...................................................................................  17

Configuring authenticated access .................................................  19

Authentication timeout....................................................................................  19

Firewall policy authentication ........................................................................  19

Configuring authentication for a firewall policy............................................  20
Configuring authenticated access to the Internet........................................  20
Firewall policy order ....................................................................................  21

VPN authentication..........................................................................................  21

Authenticating PPTP and L2TP VPN users ................................................  22
Authenticating remote IPSec VPN users using dialup groups ....................  23
Enabling XAuth authentication for dialup IPSec VPN clients ......................  24

Summary of Contents for FortiGate 60M

Page 1: ...www fortinet com FortiGate User Authentication Version 1 U S E R G U I D E ...

Page 2: ...y purpose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the Unite...

Page 3: ...your LDAP server 11 Configuring the FortiGate unit to use an LDAP server 12 Active Directory servers 13 Understanding your Active Directory server 13 Configuring the FortiGate unit to use an Active Directory server 13 Users and user groups 15 Users 15 Defining local users 15 User groups 17 Protection profiles 17 Defining user groups 17 Configuring authenticated access 19 Authentication timeout 19 ...

Page 4: ...FortiGate User Authentication Version 1 Guide 4 01 28007 0233 20050825 Table of Contents ...

Page 5: ...e VPN Guide The user s view of authentication The user sees a request for authentication when trying to access the protected resource The way in which the request is presented to the user depends on the method of access to that resource VPN authentication usually controls remote access to a private network Web based user authentication Firewall policies usually control browsing access to an extern...

Page 6: ...ate unit a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server an external authentication server with a database that contains the user name and password of each person who is permitted access You need to set up authentication in the following order 1 If external authentication is needed configure the required servers See Configuring th...

Page 7: ...ou to provide access only to selected employees for example You cannot combine these two uses of an authentication server in the same user group If you add the server to the user group adding individual users with authentication to that server is redundant If you want to use external authentication servers you must configure them before you configure users and user groups Users You define user ide...

Page 8: ...l is defined in the firewall policy that provides access to the network resource For example access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy Firewall policies apply web filtering antivirus protection and spam filtering to the traffic they control according a protection profile When a firewal...

Page 9: ...IUS server listens on either port 1812 or port 1645 for authentication requests You must configure it to accept the FortiGate unit as a client The RADIUS server user database can be any combination of user names and passwords defined in a configuration file an SQL database the user account names and passwords configured on the computer where the RADIUS server is installed The RADIUS server uses a ...

Page 10: ...figuration You cannot remove a RADIUS server that belongs to a user group Remove it from the user group first 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to remove 3 Select OK To remove a RADIUS server from the FortiGate unit configuration CLI config user radius delete name end LDAP Servers Lightweight Directory Access Protocol LDAP is an Internet proto...

Page 11: ...n Unit OU level just above DC The Distinguished Name DN is ou People dc example dc com In addition to the DN the FortiGate unit needs an identifier for the individual person Although the FortiGate unit GUI calls this the Common Name CN the identifier you use is not necessarily CN On some servers CN is the full name of a person It might be more convenient to use the same identifier used on the loca...

Page 12: ...ifiers and the domain name or IP address of the LDAP server you can configure the server on the FortiGate unit To configure the FortiGate unit for LDAP authentication web based manager 1 Go to User LDAP 2 Select Create New to add a new LDAP server or select the Edit icon to edit an existing configuration 3 Enter a name for the LDAP server 4 Enter the domain name or IP address of the LDAP server 5 ...

Page 13: ...istinguished name For each object there is a shortcut to the distinguished name called the User Principal Name UPN The UPN looks similar to an email address It consists of a short name like a user ID followed by an symbol followed by the server domain name auser example com for example The user enters this as the user name at the authentication prompt Configuring the FortiGate unit to use an Activ...

Page 14: ...gure Active Directory server authentication using UPN queries CLI config user ldap edit name set server ip_address end To remove an Active Directory server from the FortiGate unit configuration You cannot remove an Active Directory server that has been added to a user group Remove it from the user group first 1 Go to User LDAP 2 Select Delete beside the server name that you want to delete 3 Select...

Page 15: ...tication server that has been configured on the FortiGate unit If the user is authenticated externally the user name on the FortiGate unit must be identical to the user name on the authentication server Table 1 How the FortiGate unit authenticates different types of users User type Authentication Local user with password stored on the FortiGate unit The user name and password must match a user acc...

Page 16: ...Directory server select LDAP and select the server name To authenticate this user using a RADIUS server select RADIUS and select the server name If you want to use an authentication server you must configure access to it first See Authentication servers on page 9 5 Select OK To define a local user CLI config user local edit user_name set type password set passwd user_password end or config user lo...

Page 17: ...ation its own protection profile is disabled and the user group protection profile applies For more information about protection profiles see Protection profile in the Firewall chapter of the FortiGate Administration Guide for your unit Protection profiles do not apply to VPN connections Defining user groups You define a user group by typing a name selecting users and or authentication servers and...

Page 18: ... User Authentication Version 1 Guide 18 01 28007 0233 20050825 User groups Users and user groups To define a group CLI config user group edit group_name set member user1 user2 usern set profile profile_name end ...

Page 19: ...et the firewall user authentication timeout Auth Timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum timeout is 480 minutes 8 hours The default timeout is 15 minutes To set the authentication timeout 1 Go to System Config Options 2 Enter the Auth Timeout value minutes 3 Select Apply Firewall policy authentication Firewall policies...

Page 20: ... move them to the Allowed list All members of the groups in the Allowed list will be authenticated to use the firewall policy 9 Select OK Configuring authenticated access to the Internet A policy for accessing the Internet is similar to a policy for accessing a specific network but the destination address is set to all The destination interface is the one that connects to the Internet service prov...

Page 21: ... these rules in mind More specific policies must be placed above more general ones Any policy that requires authentication must be placed above any similar policy that does not If a user fails authentication the firewall drops the request and does not check for a match with any of the remaining policies If you create a policy that requires authentication for HTTP access to the Internet you must pr...

Page 22: ...quired 3 Select Enable PPTP or Enable L2TP 4 Enter Starting IP and Ending IP addresses This defines the range of addresses assigned to VPN clients 5 Select the user group that is to have access to this VPN The FortiGate unit authenticates members of this user group 6 Select Apply To configure authentication for a PPTP or L2TP VPN CLI config vpn pptp set eip starting_ip set sip ending_ip set status...

Page 23: ...ure user group authentication for dialup IPSec web based manager 1 Configure the dialup users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user groups on page 15 2 Go to VPN IPSec Phase 1 3 Select Create New or select Edit on an existing VPN gateway 4 From the Remote Gateway list select Dialup User 5 From the Authentication method list...

Page 24: ...rough an LDAP or RADIUS authentication server You must configure dialup users as members of a user group who are externally authenticated None can have passwords stored on the FortiGate unit To configure authentication for a dialup IPSec VPN web based manager 1 Configure the users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user group...

Page 25: ...e user group that is to have access to this VPN The list of user groups does not include any group that has members whose password is stored on the FortiGate unit 9 Configure other VPN gateway parameters as needed 10 Select OK For more information about XAUTH configuration see Enabling XAUTH on the FortiGate unit in the FortiGate VPN Guide To configure authentication for a dialup IPSec VPN CLI con...

Page 26: ...FortiGate User Authentication Version 1 Guide 26 01 28007 0233 20050825 VPN authentication Configuring authenticated access ...

Reviews:

No comments

Related manuals for FortiGate 60M

Barracuda GloudGen Series Quick Start Manual preview
GloudGen Series
Brand: Barracuda Pages: 6
Symantec 10521148 - Network Security 7161 Implementation Manual preview
10521148 - Network Security 7161
Brand: Symantec Pages: 214
NETGEAR FVX538v1 - ProSafe VPN Firewall Dual WAN Specifications preview
FVX538v1 - ProSafe VPN Firewall Dual WAN
Brand: NETGEAR Pages: 2
ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual preview
Unified Security Gateway ZyWALL 300
Brand: ZyXEL Communications Pages: 1156
PYCH Clone+ User Manual preview
Clone+
Brand: PYCH Pages: 17
Aaeon FWS-7360 User Manual preview
FWS-7360
Brand: Aaeon Pages: 100
IBASE Technology FWA8208 Series User Manual preview
FWA8208 Series
Brand: IBASE Technology Pages: 55
Neoware Neoware c50 - Thin Client Specification preview
Neoware c50 - Thin Client
Brand: Neoware Pages: 5
SIIG FireWire 3-Port CardBus Quick Installation Manual preview
FireWire 3-Port CardBus
Brand: SIIG Pages: 8
SIIG DP FireWire 800 PCI-32T Quick Installation Manual preview
DP FireWire 800 PCI-32T
Brand: SIIG Pages: 12
Lundix It SPC SmartBox User Manual preview
SPC SmartBox
Brand: Lundix It Pages: 62

Brands by name

Popular brands

Load more brands