Configuring the filter policy

The filter policy required in the SPNEGO method consists of an authentication rule and a filter rule.

Adding an authentication rule

This rule is meant to redirect all Internet-bound HTTP connections by users that have not yet been authenticated to the captive portal instead.

1. In the Configuration > Security Policy > Filter - NAT module, click on New rule and select Authentication rule.
2. Change the predefined objects where necessary. In our example, we will use the objects suggested by default.

Adding a filter rule

This rule allows authenticated users to access the Internet:

1. In the active filter policy, click on New rule and select Single rule.
2. Double-click on this rule to edit it.
3. In the Action menu > General tab, select the Action pass.
4. In the Source menu > General tab, select the User Any user@directory. If no directories matching the Active Directory domain have been defined on the firewall, select Any user@none.
5. In the Source menu > General tab, select the Source hosts (e.g.: Network_internals).
6. In the Destination menu > General tab, select Internet as Destination host.
7. In the Port / Protocol > Port menu, select http as Destination port.
8. In the Inspection menu, select the desired application inspections (URL filtering, etc).
9. Confirm and enable this rule by double-clicking in the Status column.

The filter policy for the SPNEGO section will then look like this: