FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
A common misunderstanding is that using the "FSSO Guest Users" group will allow "everyone else" through a policy. The correct explanation is that FSSO will allow anyone who is not part of the domain (or more accurately, not part of the groups monitored by the collector agent). To explain the difference, consider the following example:
User A is a member of group A.
User B is a member of group B.
User C is a member of group C.
User D is not part of the domain and thus is not part of any group.
If firewall policy 1 is allowing Group A, Group B and FSSO Guest Users to go out to the Internet then:
When User A or User B try to access the Internet, they are allowed because they are part of the allowed groups.
User D is allowed by FSSO Guest because the user is not part of the domain.
User C is part of the domain but is not part of any of the allowed groups so traffic from User C will be Dropped.
This allows the administrator to prevent certain groups from accessing the Internet while still allowing guests to go out.
It should be noted that this only applies to the groups monitored by the collector agent. If Group C is not monitored by the collector agent the FortiGate will think that User C is not part of the domain and it will allow the user out.
