FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article shows the output of the debug flow when policy based firewall authentication hitting FSSO or RSSO policy first.

This applies only when auth-on-demand is set to always.


Firewall policy:




Force authentication policy to take precedence over IP policy:


# config user setting
    set auth-on-demand always <----- Always trigger firewall authentication on demand.


With auth-on-demand, the policy will be checked from top-down until it hits a policy with firewall authentication is needed.

In this case, policy ID 7, where FSSO is included.


However, as FSSO does not prompt auth portal. Authentication portal will fail to prompt.


The debug flow will look as below:


id=20085 trace_id=6994 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=6,> tun_id= from port2. flag [S], seq 1760010563, ack 0, win 8192"

id=20085 trace_id=6994 func=init_ip_session_common line=6042 msg="allocate a new session-00096bb9, tun_id="

id=20085 trace_id=6994 func=iprope_dnat_check line=5305 msg="in-[port2], out-[]"

id=20085 trace_id=6994 func=iprope_dnat_tree_check line=830 msg="len=0"

id=20085 trace_id=6994 func=iprope_dnat_check line=5317 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"

id=20085 trace_id=6994 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw- via port1"

id=20085 trace_id=6994 func=iprope_fwd_check line=789 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"

id=20085 trace_id=6994 func=__iprope_tree_check line=549 msg="gnum-100004, use svc hash, slot=27, len=6"

id=20085 trace_id=6994 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-7, ret-matched, act-accept"

id=20085 trace_id=6994 func=__iprope_user_identity_check line=1818 msg="ret-stop"

id=20085 trace_id=6994 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0"

id=20085 trace_id=6994 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0"

id=20085 trace_id=6994 func=fw_forward_handler line=717 msg="Denied by forward policy check (policy 0)"



Denied by forward policy check (policy 0) – Authentication portal did not prompt for the user.

Solution Specify source IP on the policy that are using FSSO or RSSO.