| Description | This article explains the behaviors when using mixed policies in Firewall authentication with LDAP user-group defined in the source section. |
| Scope | FortiGate, LDAP authentication. |
| Solution |
1) User group (Block) connects to LDAP server:
2) Firewall policy defines 3 policies:
- Test: ALLOW traffic with Block group. - www: ALLOW traffic without any group.
3) Behaviors:
3.1) Any initial traffic port9 will not match the 'TEMP' or 'test' policy, because it is needed both user (in Grp_None_Internet) and IP address (all), so it will match the 'www' policy to allow traffic to the Internet.
This is the behavior observed: users still can access the Internet although there is a DENY policy (TEMP).
3.2) When 'www' is disabled, the user will receive a login prompt (because all policies that could match the source IP have authentication enabled – it is 'TEMP' and 'test').
This is the behavior observed: At this time, if the user authenticates successfully, that account should show up in User Dashboard:
And the traffic will match 'TEMP' policy:
User will not get Internet access:
4) Workaround/Solution, how it should work:
4.1) Create a new group to allow Internet.
4.2) Define it in the firewall policy, so that users will need to enter the credentials to access the Internet.
4.3) If the user fails to authenticate, it will not get the Internet:
Notes: - LDAP is an active authentication method, so users will need to enter the credentials to authenticate to Firewall. - FSSO is a passive authentication method, so users do NOT need to enter the credentials to authenticate to Firewall. - If it is not wanted that the users enter credentials to get resource access, it is suggested to use FSSO method (passive authentication). - With LDAP authentication only, it is more logical to users enter credentials to get resource access than enter credentials to be blocked. |
