Skip to main content
Kraven2323
Staff
Kraven2323
Staff
August 17, 2022

Technical Tip: Debug flow of policy based firewall authentication when hitting FSSO or RSSO first

  • August 17, 2022
  • 0 replies
  • 1608 views
Description

This article shows the output of the debug flow when policy based firewall authentication hitting FSSO or RSSO policy first.

This applies only when auth-on-demand is set to always.
Scope FortiGate.
Solution

Firewall policy:

 

Force authentication policy to take precedence over IP policy:

 

config user setting
    set auth-on-demand always <----- Always trigger firewall authentication on demand.
end

 

With auth-on-demand, the policy will be checked from top-down until it hits a policy with firewall authentication is needed.

In this case, policy ID 7, where FSSO is included.

 

However, as FSSO does not prompt the authentication portal, the authentication portal will fail to prompt.

 

The debug flow will look as below:

 

id=20085 trace_id=6994 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=6, 10.234.1.225:50986->3.209.191.93:443) tun_id=0.0.0.0 from port2. flag [S], seq 1760010563, ack 0, win 8192"  <-----  The packet is HTTPS traffic (TCP 443) from internal IP 10.234.1.225 to external 3.209.191.93.

id=20085 trace_id=6994 func=init_ip_session_common line=6042 msg="allocate a new session-00096bb9, tun_id=0.0.0.0"  <-----  New session created.

id=20085 trace_id=6994 func=iprope_dnat_check line=5305 msg="in-[port2], out-[]"

id=20085 trace_id=6994 func=iprope_dnat_tree_check line=830 msg="len=0"

id=20085 trace_id=6994 func=iprope_dnat_check line=5317 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"  <-----  No DNAT configured.

id=20085 trace_id=6994 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.47.15.254 via port1"  <-----  Route found via port1 gateway 10.47.15.254.

id=20085 trace_id=6994 func=iprope_fwd_check line=789 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"  <-----  Policies checked top-down.

id=20085 trace_id=6994 func=__iprope_tree_check line=549 msg="gnum-100004, use svc hash, slot=27, len=6"

id=20085 trace_id=6994 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-7, ret-matched, act-accept"  <----- Traffic matches policy ID 7.

id=20085 trace_id=6994 func=__iprope_user_identity_check line=1818 msg="ret-stop" <-----  The user/IP is not yet identified (no known FSSO logon info for this source IP).

id=20085 trace_id=6994 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0" <-----  Checks if this should trigger a captive portal redirect — no (is_captive-0), because FSSO is passive and does not support authentication portals/prompts.

id=20085 trace_id=6994 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0" <-----  Same result: Authentication required but cannot be actively prompted.

id=20085 trace_id=6994 func=fw_forward_handler line=717 msg="Denied by forward policy check (policy 0)" <-----  Traffic is dropped. Policy 0.

 

Results:

Denied by forward policy check (policy 0) – Authentication portal did not prompt for the user.

 

To resolve the issue:

Specify the source IP on the policy that is using FSSO or RSSO.

 

Related article:

Technical Tip: Debug flow of policy based firewall authentication behaviour with auth-on-demand set as 'always'
      Terms & ConditionsAccessibility statement