FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains an important factor in Fortinet Single Sign On (FSSO) when evaluating authenticated and unauthenticated DNS traffic.

In FortiOS 5.2 and later, among all types of traffic, FSSO authentication firewall policy handles DNS traffic (UDP port 53) differently.

If a firewall policy configured with an FSSO group and action is set to deny, whether ALL or DNS is specified as service, all traffic initiating from the source IP addresses specified in the deny FSSO firewall policy will eventually get blocked.

This includes all sources, whether authenticated or unauthenticated users.

This is an FSSO design requirement where DNS needs to be processed ahead of the first FSSO firewall policy, especially with action of deny.

The workaround proposed is as the following:
  • To allow DNS traffic ahead of the deny FSSO firewall policy.
  • To negate DNS service on the deny firewall policy (means process all traffic except DNS) as following with command "set service-negate enable":
config firewall policy
edit 2
set action deny
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "DNS"
set fsso enable
set groups "SSO_Block_Group"
set service-negate enable

The allow implicit firewall policy to allow all traffic will basically be processing all types of traffic except DNS.