“Authentication policy” tab

The filter table allows you to define the rules of the authentication policy to be applied through the firewall. High-priority rules are placed on top. The firewall executes rules in their order of appearance in the list (rule no. 1, 2 and so on) and stops as soon as it reaches a rule that matches the traffic that it processes. It is therefore important to define rules from most specific to most general.

If no rules have been defined in the policy or if the traffic does not match any of the specified rules, the Default method will be applied. If this method has not been configured or the action has been set to Block, all authentication attempts will be denied.

Actions on the rules of the authentication policy

Search by user

This field allows searching by user login. The rules assigned to this user appear in the table.

 

Example: If you enter “user1” in the field, all rules in the policy with “user1” as their source will appear in the table.

New rule

Inserts a rule – predefined or to be defined – after the selected line. There are 2 possible choices.

 

  • Standard rule: an authentication wizard will appear when this is selected. Please refer to the following section to see the options offered in each screen.
  • Guest method rule: this wizard offers to create an authentication rule through the Guest method. This method cannot be combined with other methods within the same rule as it does not require authentication.

NOTE 

The User object to select to match the Guest method is “All”.

NOTE 

This method is incompatible with multi-user objects; all users connected in Guest mode must have different IP addresses.

  • Temporary account rule: this wizard offers to create an authentication rule through the Temporary account method. This method cannot be combined with other methods within the same rule.
  • Sponsorship rule: this wizard offers to create an authentication rule through the Sponsorship method. This method cannot be combined with other methods within the same rule as it does not require authentication.
  • Separator – rule grouping: This option allows inserting a separator above the selected line and helps to improve the authentication policy’s readability and visibility.

 

It may allow the administrator to prioritize rules, for example, or group those that redirect traffic to different servers. You can collapse or expand the node of the separator in order to show or hide the rule grouping. You can also copy/paste a separator from one location to another.

Delete

Deletes the selected line.

Move up

Places the selected line before the line just above it.

Move down

Places the selected line after the line just below it.

Cut

Allows you to cut an authentication rule in order to move it.

Copy

Allows you to copy an authentication rule in order to duplicate it.

Paste

Allows you to duplicate an authentication rule after having copied it.

Multi-user objects

Defines one or several network objects authorized to allow several authentications on the same IP address. Click on “Add an object” and select from the drop-down list a host, network, IP address range or a group.

NOTE

The SSO method does not allow “multi user” authentication.

 

Please refer to the last section Transparent or explicit HTTP proxy and multi-user objects.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of authentication rules:

  • New rule (Standard rule, Guest rule, Temporary accounts rule, Sponsorship rule, Separator - rule grouping),
  • Delete,
  • Cut,
  • Copy,
  • Paste.

New rule

The authentication policy allows creating rules based on a user or a group of users. It is also possible to target certain traffic by specifying its source. Click on the "New rule" button and select "Standard rule", "Guest rule", "Temporary account rule" or "Sponsorship rule" to launch the wizard.

Step 1: User authentication

Select the user or group concerned or leave the default value at “All”. This step is not offered for rules associated with the "Guest" or "Sponsorship" methods.

Step 2: Authentication source

Click on Add an interface or Add an object in order to target the source of the traffic affected by the rule. This may be the interface on which your internal network is connected (e.g.: IN interface) or the object corresponding to the internal networks (e.g.: Network_internals).

 NOTE

The SSO agent authentication method cannot be applied with an interface as a criterion. This method is based on authentication events collected by domain controllers, which do not indicate the source of the traffic. A rule combining an interface as the source and the SSO agent method is therefore not allowed.

Description : info NOTE 

The choice offered for the interface is the SSL VPN interface, indicating the interface on which users of an SSL VPN tunnel are connected.

Step 3: Authentication methods

This step is not offered for rules associated with the "Guest", "Temporary account" or "Sponsorship" methods.

Click on Authorize a method and select from the drop-down list the desired authentication methods. The Default method selected corresponds to the method selected in the tab “Available methods”.

The “Block” entry can also be selected. It will as such block any authentication attempt on traffic affected by the rule.

The authentication methods are evaluated in the order in which they appear on the list and from top to bottom. As the SSO agent method is transparent, it is by definition always applied as a priority.

To enable the new rule, double-click on the status “Disabled”.

 

Default method

Select the method that will be applied when the Default method is selected in the authentication policy. The methods offered are those added to the table of available methods.

Reorganizing rules

Every rule can be dragged and dropped so that the authentication policy can be reorganized easily. The symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the start of the rule.

Multi-user objects

This table allows selecting network objects that enable several authentications from the same IP address. This allows, for example, accessing applications and data from a remote computer (TSE server) by applying user-based filtering.

You can Add or Delete a multi-user object by clicking on the corresponding buttons.

Interactive features

Some operations listed in the taskbar can be performed by right-clicking on the table of multi-user objects:

  • Add,
  • Remove.