Create and Manage Authentication Policy

Select the
page to create and manage Authentication policy rules:
Perform the following prerequisites before creating Authentication policy rules:
  • Configure the User-ID™ Authentication Portal settings (see Device > User Identification > Authentication Portal Settings). The firewall uses Authentication Portal to display the first authentication factor that the Authentication rule requires. Authentication Portal also enables the firewall to record the timestamps associated with authentication Timeout periods and to update user mappings.
  • Configure a server profile that specifies how the firewall can access the service that will authenticate users (see Device > Server Profiles).
  • Assign the server profile to an authentication profile that specifies authentication settings (see Device > Authentication Profile).
  • Assign the authentication profile to an authentication enforcement object that specifies the authentication method (see Objects > Authentication).
To create a rule, perform one of the following steps and then complete the fields described in Building Blocks of an Authentication Policy Rule:
  • Click
  • Select a rule on which to base the new rule and click
    Clone Rule
    . The firewall inserts the copied rule, named <rulename>#, below the selected rule, where # is the next available integer that makes the rule name unique, and generates a new UUID for the cloned rule. For details, see Move or Clone a Policy Rule.
To modify a rule, click the rule Name and edit the fields described in Building Blocks of an Authentication Policy Rule.
If the firewall received the rule from Panorama, the rule is read-only; you can edit it only on Panorama.
When matching traffic, the firewall evaluates rules from top to bottom in the order that the
page lists them. To change the evaluation order, select a rule and
Move Up
Move Down
Move Top
, or
Move Bottom
. For details, see Move or Clone a Policy Rule.
To remove an existing rule, select and
To disable a rule, select and
it. To re-enable a disabled rule, select and
Highlight Unused Rules
To identify rules that have not matched traffic since the last time the firewall was restarted,
Highlight Unused Rules
. You can then decide whether to disable or delete unused rules. The page highlights unused rules with a dotted yellow background.
Preview rules (
Panorama only
Preview Rules
to view a list of the rules before you push the rules to the managed firewalls. Within each rulebase, the page visually demarcates the rule hierarchy for each device group (and managed firewall) to facilitate scanning of numerous rules.

Recommended For You