Configuring the filter policy
The filter policy required in the SPNEGO method consists of an authentication rule and a filter rule.
Adding an authentication rule
This rule is meant to redirect all Internet-bound HTTP connections by users that have not yet been authenticated to the captive portal instead.
- In the Configuration > Security Policy > Filter - NAT module, click on New rule and select Authentication rule.
- Change the predefined objects where necessary. In our example, we will use the objects suggested by default.
Adding a filter rule
This rule allows authenticated users to access the Internet:
- In the active filter policy, click on New rule and select Single rule.
- Double-click on this rule to edit it.
- In the Action menu > General tab, select the Action pass.
- In the Source menu > General tab, select the User Any user@directory. If no directories matching the Active Directory domain have been defined on the firewall, select Any user@none.
- In the Source menu > General tab, select the Source hosts (e.g.: Network_internals).
- In the Destination menu > General tab, select Internet as Destination host.
- In the Port / Protocol > Port menu, select http as Destination port.
- In the Inspection menu, select the desired application inspections (URL filtering, etc).
- Confirm and enable this rule by double-clicking in the Status column.
The filter policy for the SPNEGO section will then look like this: