Define IPv4 Access rules for authentication

The IPv4 Access rules in a firewall policy can be configured to match only when the user is authenticated.

In Firewall IPv4 Access rules, the Authentication cell specifies matching criteria for accessing a particular service and for setting options for the authentication. Authentication rules can be used to require authentication to access services and for authenticating VPN client users. With mobile VPNs, authentication is always mandatory. You can also require authentication for non-VPN access. Mobile VPN user authentication does not require specific rules for clients to authenticate. Browser-based authentication requires Access rules that allow access to the firewall interface.

CAUTION:
Only a VPN guarantees confidential information exchange. A rule that only requires authentication does not significantly increase the security of access from external networks to internal networks.

The authentication settings in a rule are configured in the same way regardless of whether a VPN is used. You define the authentication parameters in the Authentication cell.

Figure: Authentication field in the IPv4 Access rules



The User, User Group, and Authentication Method elements are only used as matching criteria. Any of the other rules above or below the rule for authentication can also match the authenticated user’s connections. If necessary, you can define rules that discard connections from some combinations of Users and Authentication methods.

An authentication method is activated when at least one rule that contains the corresponding Authentication Method element is installed on the firewall. The authentication is granted for a specific duration based on source IP address.

After the user successfully authenticates, the firewall adds the user to a list of authenticated users. The next connection that the user opens can match an Access rule that requires authentication if the user and authentication method match the parameters of the rule.

Connections from users who have not successfully authenticated, or whose authentication has expired do not match rules that require authentication. The connection matching continues to rules further down in the policy.

It is especially important to consider whether other rules might match VPN client connections. If necessary, you can define rules that discard connections from some combinations of Users and Authentication methods. You can use the Source VPN cell in IPv4 Access rules to match VPN traffic or non-VPN traffic. The VPN Client can be configured to receive an IP address from the organization’s internal IP address space.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Open the Firewall Policy for editing.
  2. Add an IPv4 Access rule, then define the Source, Destination, and Service.
  3. Right-click the Action cell and select the action:
    • Select Allow to create a rule that allows access to a particular service.
    • Select Use VPN if you want to direct connections into a VPN.
  4. Double-click the Authentication cell.
  5. On the Users tab, select the Users or User Groups that this rule applies to.
  6. On the Authentication Methods tab, select the Authentication Methods or click Set to ANY to allow any authentication method.
  7. Click OK to close the Authentication Parameters dialog box.
  8. Install the policy to transfer the changes to the Firewall.

Authentication Parameters dialog box

Use this dialog box to configure authentication parameters in policy rules.

Option Definition
Users tab
Resources Use this pane to add elements to the Content pane.
Content Shows the selected users.
Add Adds the selected users to the Content pane.
Remove Removes the selected users from the Content pane.
Option Definition
Authentication Methods tab
Authentication Methods Use this pane to add authentication methods to the Accepted Authentication Methods pane.
Accepted Authentication Methods Shows the selected authentication methods.
Add Adds the selected authentication method to the Accepted Authentication Methods pane.
Remove Removes the selected authentication method from the Accepted Authentication Methods pane.
Set ANY Allows any of the supported authentication methods.