manualshive.com logo in svg

Fortinet FortiGate 60M, User Manual

The Fortinet FortiGate 60M is a powerful network security appliance designed for small businesses. To get started quickly, you can download the free Quick Start Manual from 88.208.23.73:8080. This comprehensive manual contains all the instructions and information you need to maximize the functionalities of this exceptional product.

Share
Download
background image

FortiGate User Authentication Version 1 Guide

8

01-28007-0233-20050825

The FortiGate administrator’s view of authentication

Introduction

You select a protection profile for each User Group. Protection profiles determine 
the level of web filtering, antivirus protection and spam filtering applied to traffic 
controlled by the firewall policy to which members of this user group authenticate. 
For more information about protection profiles, see the 

FortiGate Administration 

Guide

.

Authentication timeout

An authenticated connection expires when it has been idle for a length of time that 
you specify. There is a single authentication timeout value that applies to every 
case. The choice of timeout duration is a balance between security and user 
convenience. The default is five minutes. For information about setting the 
authentication timeout, see 

“Authentication timeout” on page 19

.

Firewall policies

Access control is defined in the firewall policy that provides access to the network 
resource. For example, access to the Internet through the external interface from 
workstations on the internal network is made possible by an Internal to External 
firewall policy. 

Firewall policies apply web filtering, antivirus protection and spam filtering to the 
traffic they control according a protection profile. When a firewall policy requires 
authentication, its own protection profile option is disabled and the user group’s 
protection profile applies. 

For more information about firewall policies and protection profiles, see the 
Firewall chapter of the 

FortiGate Administration Guide

.

VPN tunnels

When you configure a PPTP or L2TP VPN, you choose one user group to be 
permitted access. For IPSec VPNs, you can use authentication by user group or 
XAUTH authentication using an external authentication server as an alternative to 
authentication by peer ID.

For more information about VPNs, see the 

FortiGate VPN Guide

.

Note: 

In firmware releases prior to version 2.80 MR6, the 

authentication timeout 

period 

is elapsed time, not inactive time.

Summary of Contents for FortiGate 60M

Page 1: ...www fortinet com FortiGate User Authentication Version 1 U S E R G U I D E ...

Page 2: ...y purpose without prior written permission of Fortinet Inc Trademarks ABACAS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiManager Fortinet FortiOS FortiPartner FortiProtect FortiReporter FortiResponse FortiShield FortiVoIP and FortiWiFi are trademarks of Fortinet Inc in the Unite...

Page 3: ...your LDAP server 11 Configuring the FortiGate unit to use an LDAP server 12 Active Directory servers 13 Understanding your Active Directory server 13 Configuring the FortiGate unit to use an Active Directory server 13 Users and user groups 15 Users 15 Defining local users 15 User groups 17 Protection profiles 17 Defining user groups 17 Configuring authenticated access 19 Authentication timeout 19 ...

Page 4: ...FortiGate User Authentication Version 1 Guide 4 01 28007 0233 20050825 Table of Contents ...

Page 5: ...e VPN Guide The user s view of authentication The user sees a request for authentication when trying to access the protected resource The way in which the request is presented to the user depends on the method of access to that resource VPN authentication usually controls remote access to a private network Web based user authentication Firewall policies usually control browsing access to an extern...

Page 6: ...ate unit a user whose name is stored on the Fortigate unit and whose password is stored on an external authentication server an external authentication server with a database that contains the user name and password of each person who is permitted access You need to set up authentication in the following order 1 If external authentication is needed configure the required servers See Configuring th...

Page 7: ...ou to provide access only to selected employees for example You cannot combine these two uses of an authentication server in the same user group If you add the server to the user group adding individual users with authentication to that server is redundant If you want to use external authentication servers you must configure them before you configure users and user groups Users You define user ide...

Page 8: ...l is defined in the firewall policy that provides access to the network resource For example access to the Internet through the external interface from workstations on the internal network is made possible by an Internal to External firewall policy Firewall policies apply web filtering antivirus protection and spam filtering to the traffic they control according a protection profile When a firewal...

Page 9: ...IUS server listens on either port 1812 or port 1645 for authentication requests You must configure it to accept the FortiGate unit as a client The RADIUS server user database can be any combination of user names and passwords defined in a configuration file an SQL database the user account names and passwords configured on the computer where the RADIUS server is installed The RADIUS server uses a ...

Page 10: ...figuration You cannot remove a RADIUS server that belongs to a user group Remove it from the user group first 1 Go to User RADIUS 2 Select the Delete icon beside the RADIUS server name that you want to remove 3 Select OK To remove a RADIUS server from the FortiGate unit configuration CLI config user radius delete name end LDAP Servers Lightweight Directory Access Protocol LDAP is an Internet proto...

Page 11: ...n Unit OU level just above DC The Distinguished Name DN is ou People dc example dc com In addition to the DN the FortiGate unit needs an identifier for the individual person Although the FortiGate unit GUI calls this the Common Name CN the identifier you use is not necessarily CN On some servers CN is the full name of a person It might be more convenient to use the same identifier used on the loca...

Page 12: ...ifiers and the domain name or IP address of the LDAP server you can configure the server on the FortiGate unit To configure the FortiGate unit for LDAP authentication web based manager 1 Go to User LDAP 2 Select Create New to add a new LDAP server or select the Edit icon to edit an existing configuration 3 Enter a name for the LDAP server 4 Enter the domain name or IP address of the LDAP server 5 ...

Page 13: ...istinguished name For each object there is a shortcut to the distinguished name called the User Principal Name UPN The UPN looks similar to an email address It consists of a short name like a user ID followed by an symbol followed by the server domain name auser example com for example The user enters this as the user name at the authentication prompt Configuring the FortiGate unit to use an Activ...

Page 14: ...gure Active Directory server authentication using UPN queries CLI config user ldap edit name set server ip_address end To remove an Active Directory server from the FortiGate unit configuration You cannot remove an Active Directory server that has been added to a user group Remove it from the user group first 1 Go to User LDAP 2 Select Delete beside the server name that you want to delete 3 Select...

Page 15: ...tication server that has been configured on the FortiGate unit If the user is authenticated externally the user name on the FortiGate unit must be identical to the user name on the authentication server Table 1 How the FortiGate unit authenticates different types of users User type Authentication Local user with password stored on the FortiGate unit The user name and password must match a user acc...

Page 16: ...Directory server select LDAP and select the server name To authenticate this user using a RADIUS server select RADIUS and select the server name If you want to use an authentication server you must configure access to it first See Authentication servers on page 9 5 Select OK To define a local user CLI config user local edit user_name set type password set passwd user_password end or config user lo...

Page 17: ...ation its own protection profile is disabled and the user group protection profile applies For more information about protection profiles see Protection profile in the Firewall chapter of the FortiGate Administration Guide for your unit Protection profiles do not apply to VPN connections Defining user groups You define a user group by typing a name selecting users and or authentication servers and...

Page 18: ... User Authentication Version 1 Guide 18 01 28007 0233 20050825 User groups Users and user groups To define a group CLI config user group edit group_name set member user1 user2 usern set profile profile_name end ...

Page 19: ...et the firewall user authentication timeout Auth Timeout to control how long an authenticated connection can be idle before the user must authenticate again The maximum timeout is 480 minutes 8 hours The default timeout is 15 minutes To set the authentication timeout 1 Go to System Config Options 2 Enter the Auth Timeout value minutes 3 Select Apply Firewall policy authentication Firewall policies...

Page 20: ... move them to the Allowed list All members of the groups in the Allowed list will be authenticated to use the firewall policy 9 Select OK Configuring authenticated access to the Internet A policy for accessing the Internet is similar to a policy for accessing a specific network but the destination address is set to all The destination interface is the one that connects to the Internet service prov...

Page 21: ... these rules in mind More specific policies must be placed above more general ones Any policy that requires authentication must be placed above any similar policy that does not If a user fails authentication the firewall drops the request and does not check for a match with any of the remaining policies If you create a policy that requires authentication for HTTP access to the Internet you must pr...

Page 22: ...quired 3 Select Enable PPTP or Enable L2TP 4 Enter Starting IP and Ending IP addresses This defines the range of addresses assigned to VPN clients 5 Select the user group that is to have access to this VPN The FortiGate unit authenticates members of this user group 6 Select Apply To configure authentication for a PPTP or L2TP VPN CLI config vpn pptp set eip starting_ip set sip ending_ip set status...

Page 23: ...ure user group authentication for dialup IPSec web based manager 1 Configure the dialup users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user groups on page 15 2 Go to VPN IPSec Phase 1 3 Select Create New or select Edit on an existing VPN gateway 4 From the Remote Gateway list select Dialup User 5 From the Authentication method list...

Page 24: ...rough an LDAP or RADIUS authentication server You must configure dialup users as members of a user group who are externally authenticated None can have passwords stored on the FortiGate unit To configure authentication for a dialup IPSec VPN web based manager 1 Configure the users who are permitted to use this VPN Create a user group and add them to it For more information see Users and user group...

Page 25: ...e user group that is to have access to this VPN The list of user groups does not include any group that has members whose password is stored on the FortiGate unit 9 Configure other VPN gateway parameters as needed 10 Select OK For more information about XAUTH configuration see Enabling XAUTH on the FortiGate unit in the FortiGate VPN Guide To configure authentication for a dialup IPSec VPN CLI con...

Page 26: ...FortiGate User Authentication Version 1 Guide 26 01 28007 0233 20050825 VPN authentication Configuring authenticated access ...

Reviews:

No comments

Related manuals for FortiGate 60M

ZyXEL Communications ZyWALL 1050 Specifications preview
ZyWALL 1050
Brand: ZyXEL Communications Pages: 4
US Robotics Modem/Router Brochure & Specs preview
Modem/Router
Brand: US Robotics Pages: 4
Aaeon FWS-2271 User Manual preview
FWS-2271
Brand: Aaeon Pages: 100
Cisco Catalyst 3130 Software Configuration Manual preview
Catalyst 3130
Brand: Cisco Pages: 1354
Cisco Catalyst 3120 Software Manual preview
Catalyst 3120
Brand: Cisco Pages: 1224
IBM QRadar XGS 5200 Replacement Instructions Manual preview
QRadar XGS 5200
Brand: IBM Pages: 8
Lundix It SPC SmartBox User Manual preview
SPC SmartBox
Brand: Lundix It Pages: 62
IS5 COMMUNICATIONS RAPTOR iMX950 Hardware Installation Manual preview
RAPTOR iMX950
Brand: IS5 COMMUNICATIONS Pages: 47
Blue Coat SG210 series Installation Manual preview
SG210 series
Brand: Blue Coat Pages: 54
Blue Coat SG200 200 A Installation Manual preview
SG200 200 A
Brand: Blue Coat Pages: 60
Blue Coat ProxySG SG900-10 Maintenance And Upgrade Manual preview
ProxySG SG900-10
Brand: Blue Coat Pages: 104
Blue Coat SG810 series Installation Manual preview
SG810 series
Brand: Blue Coat Pages: 110
Juniper NS-2G24FE Manual preview
NS-2G24FE
Brand: Juniper Pages: 17

Brands by name

Popular brands

Load more brands