Purpose
This article explains how to use "srcaddr-negate" in a policy to counter the fall through authentication behavior which is the default behavior starting in FortiOS 5.2.

End user experience after upgrade:
After upgrading from FortiOS 5.0 to 5.2, users who were previously required to authenticate are allowed through without authentication.

Reason:
In FortiOS 5.2, unauthenticated traffic is permitted to fall through to the next policy.  Only if there are no other matching policies, will FortiGate force unauthenticated users to authenticate against the authentication policy.

For more details on the fall through behavior, see " Why is the SSO_Guest_User policy not matched? (FortiOS 5.2)".

Scope
Firewall authentication (local, LDAP or Radius).  Does not apply to FSSO.

Diagram



Expectations, Requirements

• Local Firewall authentication is required for a group of users to access Internet.
• We want users on addr-range-1 to receive the Firewall authentication page.
• No authentication is required for other users.

Note: The solution provided in this article only works for policies which originally had the source "all".

Configuration
Original configuration (which worked in FortiOS 5.0):

config firewall address
    edit "addr-range-1"
        set type iprange
        set start-ip 192.168.3.95
        set end-ip 192.168.3.115
    next
end

config user group
    edit "group1"
        set member "test1"
    next
end

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "addr-range-1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "group1"
        set nat enable
    next
    edit 2
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

After upgrade to FortiOS 5.2:
The above configuration no longer achieves the desire outcome.
Now unauthenticated traffic coming from addr-range-1 will fall through and match policy 2.

Solution:

Change the source address of policy 2 to "addr-range-1" and enabling "srcaddr-negate".

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "addr-range-1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "group1"
        set nat enable
    next
    edit 2
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "addr-range-1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set srcaddr-negate enable
        set nat enable
    next
end

Traffic coming from "addr-range-1" no longer matches policy 2 and hits policy 1.
Traffic coming from any source other than "addr-range-1" will match policy 2.

Related Articles

Why is the SSO_Guest_User policy not matched? (FortiOS 5.2)

Technical Tip: Captive Portal Exempt list