Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ESCHAN_FTNT
Staff
Staff

Created on ‎11-14-2019 06:56 AM Edited on ‎06-25-2025 05:35 AM By Moderator

Article Id 192567

Technical Tip: Active authentication firewall policy fall-through changes

Description

 

This article describes how on firmware v6.2, users can now define and force the authentication to always take place if necessary.

On FortiOS firmware v5.2 onwards, there is an added feature of implicit fall-through where if there is firewall policies at the bottom without authentication, the user will always match the bottom policies even if there are active authentication policies at the top.

 

Scope

 

FortiGate.

Solution

 
By default, unauthenticated traffic is permitted to fall through to the next policy.
FortiGate only forces unauthenticated users to authenticate against the authentication policy when there are no other matching policies.
In this version, administrators can force the authentication to always take place.
 
To set the authentication requirement, use the following command:
 
config user setting
    set auth-on-demand <always|implicitly>
end
 
Always trigger firewall authentication on demand. For example: 
 

authentication prompt.JPG


Implicitly (default) - Implicitly trigger firewall authentication on demand.
This is the default setting and the original behavior as per versions 7.0.x, 7.2.x, 7.4.x, and 7.6.

Example:
 
id 1: internal, (subnet1) ---> wan1, (all), service(all), has authentication.
id 2: internal, (subnet1) ---> wan1, (all), service(all), no authentication.

With auth-on-demand set to always, it will always match policy ID 1 and prompt for authentication.
This feature can be set on a per-VDOM basis.

 

Note:

Setting auth-on-demand to 'always' will cause problems with passive authentication on FortiOS(RSSO, FSSO). In this scenario, the FortiGate will not allow authentication to fall through to different passive authentication policies.

To check whether or not auth-on-demand is responsible for FSSO authentication failing, the following diagnostics can be run on the CLI:


diagnose debug flow filter clear

diagnose debug flow filter addr <client-ip-address>

diagnose debug flow show ip enable

diagnose debug flow show function enable

diagnose debug console time enable

diagnose debug enable

diagnose debug flow

 

Test with any traffic flow that would match an FSSO policy from the <client-ip-address> device, and check if the following debug message is seen:


id=65308 trace_id=13286 func=__iprope_user_identity_check line=1894 msg="ret-stop"

 

If a line containing both 'func=__iprope_user_identity_check' and 'msg="ret-stop"' is visible, then auth-on-demand is preventing passive authentication from functioning as expected. To allow FSSO traffic to function as expected, set 'auth-on-demand' to 'implicitly'.

 

Related articles:

Technical Tip: Implicit fall-through feature for user authentication policies in 5.2

Technical Tip: Active and passive authentication behavior

Technical Tip: A guide to FortiGate Authentication 

Labels:
19872
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.