Authentication policy tab
The filter table allows you to define the rules of the authentication policy to be applied through the firewall. High-priority rules are placed on top. The firewall executes rules in their order of appearance in the list (rule no. 1, 2 and so on) and stops as soon as it reaches a rule that matches the traffic that it processes. It is therefore important to define rules from most specific to most general.
If no rules have been defined in the policy or if the traffic does not match any of the specified rules, the Default method will be applied. If this method has not been configured or the action has been set to Block, all authentication attempts will be denied.
Actions on the rules of the authentication policy
|
Search by user... |
This field allows searching by user login. The rules assigned to this user appear in the table. Example: If you enter “user1” in the field, all rules in the policy with “user1” as their source will appear in the table. |
| New rule | Inserts a rule – predefined or to be defined – after the selected line. There are 5 possible choices:
NOTE NOTE
It may allow the administrator to prioritize rules, for example, or group those that redirect traffic to different servers. You can collapse or expand the node of the separator in order to show or hide the rule grouping. You can also copy/paste a separator from one location to another. |
| Delete | Deletes the selected line. |
| Move up | Places the selected rule before the rule just above it. |
| Move down | Places the selected rule after the rule just below it. |
| Cut | Allows you to cut an authentication rule in order to move it. |
| Copy | Allows you to copy an authentication rule in order to duplicate it. |
| Paste | Allows you to duplicate an authentication rule after having copied it. |
Right-click menu
Some operations listed in the taskbar can be performed by right-clicking on the table of authentication rules:
- New rule (Standard rule, Guest rule, Temporary accounts rule, Sponsorship rule, Separator - rule grouping),
- Delete,
- Cut,
- Copy,
- Paste.
New rule
The authentication policy allows creating rules based on a user or a group of users. It is also possible to target certain traffic by specifying its source. Click on the "New rule" button and select "Standard rule", "Guest rule", "Temporary account rule" or "Sponsorship rule" to launch the wizard.
Step 1: Action
Action to apply for this rule: select the action to apply when an authentication request matches this rule.
You may choose:
- Allow,
- Block,
- Default (action chosen in the Default action to apply section under the authentication policy grid).
Step 2: User authentication
Select the user, user group or leave the default value as "Any user@default_domain" where default_domain represents the default directory / domain defined on the firewall.
This step is not offered for rules associated with the "Guest" or "Sponsorship" methods.
Step 3: Source
Click on Add an interface or Add an object in order to target the source of the traffic affected by the rule. This may be the interface on which your internal network is connected (e.g.: in interface) or the object corresponding to the internal networks (e.g.: Network_internals).
NOTE
The SSO agent authentication method cannot be applied with an interface as a criterion. This method is based on authentication events collected by domain controllers, which do not indicate the source of the traffic. A rule combining an interface as the source and the SSO agent method is therefore not allowed.
NOTE
The choice offered for the interface is the SSL VPN interface, indicating the interface on which users of an SSL VPN tunnel are connected.
Step 4: Authentication methods
This step is not offered for rules associated with the "Guest", "Temporary account" or "Sponsorship" methods.
Click on Enable a method and select from the drop-down list the desired authentication methods. The Default method selected corresponds to the method selected in the “Available methods” tab.
The “Block” entry can also be selected. It will then block authentication attempts on traffic that matches the rule.
| One-time password | If you want to add time-based one-time passwords (TOTP) to this authentication method, place the cursor on ON:  The One-time password column will then be selected on the row in the corresponding authentication rule in the authentication policy. |
The authentication methods are evaluated in the order in which they appear on the list and from top to bottom. As the SSO agent method is transparent, it is by definition always applied as a priority.
To enable the newly created rule, double-click on Disabled in the Status column in the authentication rule grid.
Reorganizing rules
Every rule can be dragged and dropped so that the authentication policy can be reorganized easily. The 
symbol as well as the "Drag and drop to reorganize" tool tip appear when you scroll over the beginning of the rule.
Default action
| Default action to apply | Select the action that will be applied:
|
Default method
| Method to use if no rules match | Select the method that will be applied when the Default method is selected in the authentication policy. The methods offered are those added to the table of available methods. |
Multi-user objects
This table allows selecting network objects that enable several authentications from the same IP address. For example, applications and data can be accessed from a remote computer (TSE server) by applying user-based filtering.
You can Add or Delete a multi-user object by clicking on the corresponding buttons.
NOTE
The SSO method does not allow “multi user” authentication.
Interactive features
Some operations listed in the taskbar can be performed by right-clicking on the table of multi-user objects:
- Add,
- Remove.