Configuring the filter policy

The filter policy required in the SPNEGO method consists of an authentication rule and a filter rule.

Adding an authentication rule

This rule is meant to redirect all Internet-bound HTTP connections by users that have not yet been authenticated to the captive portal instead.

  1. Click on New rule and select Authentication rule.
  2. Change the predefined objects where necessary. In our example, we will use the objects suggested by default.

Adding a filter rule

This rule allows authenticated users to access the Internet:

  1. In the active filter policy, click on New rule and select Single rule.
  2. Double-click on this rule to edit it.
  3. In the Action menu > General tab, select the Action pass.
  4. In the Source menu > General tab, select the User Any user@directory. If no directories matching the Active Directory domain have been defined on the firewall, select Any user@none.
  5. In the Source menu > General tab, select the Source hosts (e.g.: Network_internals).
  6. In the Destination menu > General tab, select Internet as Destination host.
  7. In the Port / Protocol > Port menu, select http as Destination port.
  8. In the Inspection menu, select the desired application inspections (URL filtering, etc).
  9. Confirm and enable this rule by double-clicking in the Status column.


The filter policy for the SPNEGO section will then look like this: