FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff
Article Id 198731
Description
This article provides an explanation as to why sometimes policies lower in the policy list could be matched.

It is a relatively common issue that a policy is hit when it is expected that a different one should be hit. In most cases the design worked in v5.0 release but does not work in version 5.2.  This is often due to the fact that the design of policies rapidly changed in v5.2 and Implicit fall-through feature for user authentication policies was overlooked.

Scope
Identity based policies.

Solution
Since FortiOS v5.2 user authentication policies with active authentication method have an implicit fall-through feature that causes policy matching to fall through to a policy lower on the list that can also match the traffic. In other words the first user policy that is matched in the policy list, based on standard policy criteria, isn’t the only policy that can be matched.
To illustrate implicit fall-through, consider a FortiOS v5.2.0 policy list consisting of the following two policies:

id 1: internal, (subnet1) ---> wan1, (all), service(all), has authentication
id 2: internal, (subnet1) ---> wan1, (all), service(all), no authentication

Since both policies have the same policy matching criteria, the fall-through feature matches traffic with policy 2. The result of this policy list would be that no user would ever see a firewall authentication prompt.

This is not the intention of the fall-through feature but a policy list like this could be created unintentionally. Especially after a firmware upgrade since this configuration was acceptable for FortiOS v5.2.0.

Fall-through is intended to match users in different user groups with different policies. For example, consider an organization with two user groups where user group A requires a web filtering profile and user group B requires virus scanning. The following policy list could be set up:

id 1: internal, (subnet1) ---> wan1, (all), service(all), user group A, Web Filtering profile
id 2: internal, (subnet1) ---> wan1, (all), service(all), user group B, Antivirus profile

In this configuration, all users from subnet1 will see an authentication prompt.
If the user is found in user group A the traffic is accepted by policy 1 and is filtered by the Web Filtering profile.
If the user is found in user group B the traffic is accepted by policy 2 and is virus scanned.

The fall-through feature is required for users to be matched with policy 2. Without fall-through traffic would never be matched with policy 2.

Contributors