Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kraven2323
Staff
Staff

Created on ‎08-17-2022 01:15 AM

Article Id 221039

Technical Tip: Debug flow of policy based firewall authentication when hitting FSSO or RSSO first

Description

This article shows the output of the debug flow when policy based firewall authentication hitting FSSO or RSSO policy first.

This applies only when auth-on-demand is set to always.
Scope

Firewall policy:

 

Kraven2323_1-1660723862455.png

 

Force authentication policy to take precedence over IP policy:

 

# config user setting
    set auth-on-demand always <----- Always trigger firewall authentication on demand.
end

 

With auth-on-demand, the policy will be checked from top-down until it hits a policy with firewall authentication is needed.

In this case, policy ID 7, where FSSO is included.

 

However, as FSSO does not prompt auth portal. Authentication portal will fail to prompt.

 

The debug flow will look as below:

 

id=20085 trace_id=6994 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=6, 10.234.1.225:50986->3.209.191.93:443) tun_id=0.0.0.0 from port2. flag [S], seq 1760010563, ack 0, win 8192"

id=20085 trace_id=6994 func=init_ip_session_common line=6042 msg="allocate a new session-00096bb9, tun_id=0.0.0.0"

id=20085 trace_id=6994 func=iprope_dnat_check line=5305 msg="in-[port2], out-[]"

id=20085 trace_id=6994 func=iprope_dnat_tree_check line=830 msg="len=0"

id=20085 trace_id=6994 func=iprope_dnat_check line=5317 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"

id=20085 trace_id=6994 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.47.15.254 via port1"

id=20085 trace_id=6994 func=iprope_fwd_check line=789 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"

id=20085 trace_id=6994 func=__iprope_tree_check line=549 msg="gnum-100004, use svc hash, slot=27, len=6"

id=20085 trace_id=6994 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-7, ret-matched, act-accept"

id=20085 trace_id=6994 func=__iprope_user_identity_check line=1818 msg="ret-stop"

id=20085 trace_id=6994 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0"

id=20085 trace_id=6994 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0"

id=20085 trace_id=6994 func=fw_forward_handler line=717 msg="Denied by forward policy check (policy 0)"

 

Results:

Denied by forward policy check (policy 0) – Authentication portal did not prompt for the user.
Solution Specify source IP on the policy that are using FSSO or RSSO.
678
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.