Configuring an Authentication Policy

Procedure

1. Choose Object > User > Authentication Policy.
2. Click Add.
3. Set the name and description of an authentication policy.

   Parameter	Description
   Name	Name of an authentication policy. The name of the authentication policy must be unique.
   Description	Description of an authentication policy. Describe an authentication policy in a way that helps you understand the use of the authentication policy.
   Tag	Select an existing tag or add a new tag. The tag identifies and categorizes the policy. You can query policies based on tags and delete, move, enable, or disable policies in batches based on the query results. For the tag description and configuration, see Tag.

4. Configure matching conditions in the authentication policy.

   Matching conditions of an authentication rule are logically ANDed. A packet matches an authentication rule only after the packet attributes match all matching conditions. Items of a matching condition are logically ORed. A packet attribute matches a matching condition if the packet attribute matches any item of the matching condition.

   You must configure authentication rules in order from the most specific to the least specific.

   Parameter	Description
   Source Zone	Source security zone of an authentication policy
   Destination Zone	Destination security zone of an authentication policy
   Source Address/Region	NOTE: Source address of an authentication policy. The source address can be any of the following: Address and address group: You can also incorporate MAC address sets, discontinuous IP addresses, and continuous IP address that cannot be represented by network or subnet masks in to an address group. For details, see Address and Address Group. NOTE: To exclude an address or address group (source address or source addresses of traffic) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK. Region and region group: You can specify a region or region group as a match condition of a policy. For details, see Region and Region Group. Domain group: You can specify a domain group as a match condition of a policy. For details, see Domain Group. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. You can manually enter addresses or select an existing address object from the drop-down list. The icons in the drop-down list are described as follows: represents an address. represents an address group. or national flags represent a country or region. User-defined regions are displayed on top of predefined regions. Region is a group of addresses classified by region. represents a region group. represents a domain group. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: The MAC address configured in the policy relies on the across-Layer-3 MAC identification function or the firewall ARP entries are learned. If the FW works at Layer 2 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions. If the FW works at Layer 3 and directly connects to an intranet or connects to a Layer-2 switch, MAC addresses can serve as matching conditions through ARP learning. If the FW connects to an intranet through a Layer-3 network device, configure across-Layer-3 MAC identification on the FW and then use MAC addresses as matching conditions. For the description of across-Layer-3 MAC identification, see Across-Layer-3 MAC Identification.
   Destination Address/Region	Destination address of an authentication policy. You can manually enter addresses or select an existing address object from the drop-down list. Address object types in the drop-down list are the same as those of the Source Address/Region. NOTE: When an IP address corresponds to multiple domain names, an IP address can be used to search for a maximum of 16 domain names. If the domain name to be searched is not in the policy rule, the policy cannot be matched. You are advised to configure multiple domain names with the same IP address in the same policy rule. When there are multiple available options, you can select Address or Region from the drop-down list, improving the configuration efficiency. When only Address is selected, the drop-down list displays all optional addresses, address groups, and domain groups. When only Region is selected, the drop-down list displays all optional regions and region groups. NOTE: To exclude an address or address group (destination address or destination addresses) from policy matching, select the address or address group from the available address area, select it in the selected address area and click Invert, and then click OK.
   Service	The protocol type of the traffic. Services can be predefined or user-defined. Predefined services are well-known services, such as HTTP, FTP, and Telnet. You can also define services as needed. User-defined services are configured by specifying information such as port number. User-defined services fall into three types and the configuration methods are described as follows: For TCP/UDP/SCTP packets, you must specify the source and destination ports. For ICMP packets, you must specify the ICMP message type and code. For IP packets, you must specify the protocol number in the IP header. You can also create a service group and add predefined and user-defined services to the group. Authentication policies cannot trigger authentication for OSPF, BGP, bootpc, bootps, DNS, and DNS-TCP services. You cannot select such a service as a predefined service on the web UI. If the selected service group contains any unsupported service, the configuration fails. For details, see Service and Service Group. NOTE: To exclude a service or service group (service or service group of traffic) from policy matching, select the service or service group from the available service area, select it in the selected service area and click Invert, and then click OK.

5. Specify an action for the authentication policy.

   Parameter	Description
   Action	Action in an authentication policy Portal authentication: Indicates that portal authentication is implemented on the traffic matching this policy. Authentication exemption: Indicates that authentication exemption is implemented on the traffic matching this policy. Authentication exemption needs to be configured in the following scenarios: The FW identifies user identities based on bindings between IP/MAC addresses and users. The FW identifies user identities based on SSO messages. Policy-based control needs to be implemented for users who access the FW through VPN to access intranet resources. No authentication: indicates that no authentication is implemented on the traffic matching this policy and that the FW cannot implement policy control by users. Anonymous authentication: indicates that the traffic that matches the policy is authenticated anonymously. The user can be authenticated without entering the user name or password. In this case, the FW identifies the user by IP address. Only USG6510E/6510E-POE/6530E, USG6515E/6550E/6560E/6580E, USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E support this function. In anonymous authentication, the device pushes a page to the user. Currently, page push is not supported for an HTTPS request.
   Portal Authentication Template	Set this parameter if a user-defined portal authentication template is used. Click Enable and select an existing portal authentication template. This parameter is available only when Action is set to Portal authentication.

6. Click OK.