PurposeThis article explains how to use "srcaddr-negate" in a policy to
counter the fall through authentication behavior which is the
default behavior starting in FortiOS 5.2.
End user experience after upgrade:
After upgrading from FortiOS 5.0 to 5.2, users who were previously
required to authenticate are allowed through without
authentication.
Reason:
In FortiOS 5.2, unauthenticated traffic is permitted to fall
through to the next policy. Only if there are no other
matching policies, will FortiGate force unauthenticated users to
authenticate against the authentication policy.
For more details on the fall through behavior, see "
Why is the SSO_Guest_User policy not matched? (FortiOS
5.2)".
ScopeFirewall authentication (local, LDAP or Radius). Does not
apply to FSSO.
Diagram
Expectations, Requirements
- Local Firewall authentication is required for a group of users
to access Internet.
- We want users on addr-range-1 to receive the Firewall
authentication page.
- No authentication is required for other users.
Note: The solution provided in this article only works for
policies which originally had the source "all".
ConfigurationOriginal configuration (which worked in FortiOS 5.0):
config firewall address
edit "addr-range-1"
set type iprange
set start-ip
192.168.3.95
set end-ip
192.168.3.115
next
end
config user group
edit "group1"
set member "test1"
next
end
config firewall policy
edit 1
set srcintf
"internal"
set dstintf "wan1"
set srcaddr
"addr-range-1"
set dstaddr "all"
set action accept
set schedule
"always"
set service "ALL"
set groups
"group1"
set nat enable
next
edit 2
set srcintf
"internal"
set dstintf "wan1"
set srcaddr
"all"
set dstaddr "all"
set action accept
set schedule
"always"
set service "ALL"
set nat enable
next
end
After upgrade to FortiOS 5.2:
The above configuration no longer achieves the desire
outcome.
Now unauthenticated traffic coming from addr-range-1 will fall
through and match policy 2.
Solution:
Change the source address of policy 2 to "addr-range-1" and
enabling "srcaddr-negate".
config firewall policy
edit 1
set srcintf
"internal"
set dstintf "wan1"
set srcaddr
"addr-range-1"
set dstaddr "all"
set action accept
set schedule
"always"
set service "ALL"
set groups
"group1"
set nat enable
next
edit 2
set srcintf
"internal"
set dstintf "wan1"
set srcaddr
"addr-range-1"
set dstaddr "all"
set action accept
set schedule
"always"
set service "ALL"
set srcaddr-negate
enable
set nat enable
next
end
Traffic coming from "addr-range-1" no longer matches policy 2 and
hits policy 1.
Traffic coming from any source other than "addr-range-1" will match
policy 2.
Related Articles
Why is the SSO_Guest_User policy not matched? (FortiOS 5.2)
Technical Tip: Captive Portal Exempt list