Since FortiOS v5.2 user authentication policies with active authentication method have an implicit fall-through feature that causes policy matching to fall through to a policy lower on the list that can also match the traffic. In other words the first user policy that is matched in the policy list, based on standard policy criteria, isn’t the only policy that can be matched.
To illustrate implicit fall-through, consider a FortiOS v5.2.0 policy list consisting of the following two policies:
id 1: internal, (subnet1) ---> wan1, (all), service(all), has authentication
id 2: internal, (subnet1) ---> wan1, (all), service(all), no authentication
Since both policies have the same policy matching criteria, the fall-through feature matches traffic with policy 2. The result of this policy list would be that no user would ever see a firewall authentication prompt.
This is not the intention of the fall-through feature but a policy list like this could be created unintentionally. Especially after a firmware upgrade since this configuration was acceptable for FortiOS v5.2.0.
Fall-through is intended to match users in different user groups with different policies. For example, consider an organization with two user groups where user group A requires a web filtering profile and user group B requires virus scanning. The following policy list could be set up:
id 1: internal, (subnet1) ---> wan1, (all), service(all), user group A, Web Filtering profile
id 2: internal, (subnet1) ---> wan1, (all), service(all), user group B, Antivirus profileIn this configuration, all users from subnet1 will see an authentication prompt.
If the user is found in user group A the traffic is accepted by policy 1 and is filtered by the Web Filtering profile.
If the user is found in user group B the traffic is accepted by policy 2 and is virus scanned.
The fall-through feature is required for users to be matched with policy 2. Without fall-through traffic would never be matched with policy 2.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.