Skip to main content
Tsug_
Tsug_
New Member
March 24, 2025
Question

Fsso and Mixed Policies Firewall Authentication

  • March 24, 2025
  • 4 replies
  • 1595 views

I have a question about reading the firewall rules.

 

If I have a FSSO rule with an AD "Basic" group and origin all, and BELOW I have a BYPASS rule "all all",

 

which rule will the traffic from the user authenticated by FSSO in the "Basic" group match?

 

Is there any documentation that explains this?

 

Also, if I add an LDAP group to this same FSSO rule, would the behavior be the same?

4 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 27, 2025

Hello Tsug_, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
jhussain_FTNT
Staff
jhussain_FTNT
Staff
March 27, 2025

Hi,

 

If there is a policy without authentication, the firewall will first select the policy without authentication configured to allow the traffic, though the policy with authentication is on top.Kindly refer the below document.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-User-based-policy-not-working/ta-p/198282

 

Regards

Jamal Hussain

    Tsug_
    Tsug_Author
    New Member
    March 29, 2025

    and with FSSO is the same behavior?

    ebilcari
    Staff
    ebilcari
    Staff
    March 29, 2025

    Yes, if the traffic is allowed by another policy it will not match. More details are also shown in this article (same with active or passive authentication).

    Emirjon
      Severo
      Severo
      New Member
      March 30, 2025

      n FortiGate firewalls, policies are evaluated sequentially from top to bottom. When a user's traffic matches a policy, that policy is applied, and subsequent policies are not considered. 

      In your scenario, if a policy specifically allows traffic for users in the "Basic" Active Directory group via Fortinet Single Sign-On (FSSO) is positioned above a general "all-all" bypass policy, traffic from authenticated users in the "Basic" group will match the FSSO policy first. This means the specific FSSO policy will be applied to their traffic, and the more general bypass policy will not be evaluated for these users. Regarding the inclusion of an LDAP group in the same FSSO policy, FortiGate supports integrating LDAP with FSSO to enhance user authentication and group management. By configuring LDAP servers and defining user groups, you can create policies that apply to users authenticated through both FSSO and LDAP. 

       

        hpenmetsa
        Staff
        hpenmetsa
        Staff
        March 30, 2025

        Hi Tsug,

        In FortiGate, firewall policies are processed in a top‐down order, and FSSO is a passive authentication method. This means that if a user is already authenticated, traffic from that user will match the FSSO rule. If the user isn’t authenticated, the FSSO rule won’t match, and the traffic will match the BYPASS rule.

        Thanks,
        Hari

          Terms & ConditionsAccessibility statement