Define Access rules for authentication

The IPv4 and IPv6 Access rules in a firewall policy can be configured to match only when the user is authenticated.

In the Access rules of a Firewall policy, the Authentication cell specifies matching criteria for accessing a particular service and for setting options for the authentication. Authentication rules can be used to require authentication to access services and for authenticating VPN client users. With mobile VPNs, authentication is always mandatory. You can also require authentication for non-VPN access. Mobile VPN user authentication does not require specific rules for clients to authenticate. Browser-based authentication requires Access rules that allow access to the firewall interface.

CAUTION:
Only a VPN guarantees confidential information exchange. A rule that only requires authentication does not significantly increase the security of access from external networks to internal networks.

The authentication settings in a rule are configured in the same way regardless of whether a VPN is used. You define the authentication parameters in the Authentication cell.

Figure: Authentication field in the IPv4 Access rules



The User, User Group, and Authentication Method elements are only used as matching criteria. Any of the other rules above or below the rule for authentication can also match the authenticated user’s connections. If necessary, you can define rules that discard connections from some combinations of Users and Authentication methods.

An authentication method is activated when at least one rule that contains the corresponding Authentication Method element is installed on the firewall. The authentication is granted for a specific duration based on source IP address.

After the user successfully authenticates, the firewall adds the user to a list of authenticated users. The next connection that the user opens can match an Access rule that requires authentication if the user and authentication method match the parameters of the rule.

Connections from users who have not successfully authenticated, or whose authentication has expired do not match rules that require authentication. The connection matching continues to rules further down in the policy.

It is especially important to consider whether other rules might match VPN client connections. If necessary, you can define rules that discard connections from some combinations of Users and Authentication methods. You can use the Source VPN cell in Access rules to match VPN traffic or non-VPN traffic. The VPN Client can be configured to receive an IP address from the organization’s internal IP address space.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Policies > <Policy type>.
  3. Right-click a policy, then select Edit <Policy name>.
  4. Add an IPv4 or IPv6 Access rule, then define the Source, Destination, and Service.
  5. Right-click the Action cell, then select the action.
  6. Double-click the Authentication cell.
  7. Configure the settings, then click OK.
  8. Click Save and Refresh.

Authentication Parameters dialog box

Use this dialog box to configure authentication parameters for Access rules in Firewall policies.

Option Definition
Users tab

Add the users or user groups that this rule applies to.

Resources section. Add elements from this list to the list in the Content section. Click Add to add an element to the list, or Remove to remove the selected element. You can also drag and drop elements.
Filter Allows you to filter the elements shown.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools > New Allows you to create a new element.
Tools > Show Deleted Elements When selected, elements that have been moved to the Trash are visible.
Option Definition
Authentication Methods tab

Add the authentication methods allowed for this rule.

Authentication Methods section. Shows the available authentication methods. Add elements from this list to the list in the Accepted Authentication Methods section. Click Add to add an element to the list, or Remove to remove the selected element. You can also drag and drop elements.
Set to ANY Allows any of the supported authentication methods.