Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akanibek
Staff
Staff

Created on ‎11-22-2024 02:43 AM

Article Id 359324

Technical Tip: FortiGate - Reason of populating 'guest' FSSO user

Description This article describes why, and how FortiGate creates a 'guest' user, a member of 'SSO_Guest_Users'.
Scope FortiGate v7.0.x, and all other newer branches.
Solution

FortiGate populates, and generates a 'guest' user (member of SSO_Guest_Users) logon event, if all three clauses are matched consequently:

  1. If an IP is unauthenticated.
  2. If it does not match any policy with no auth.
  3. If there is a policy with SSO_Guest_Users (which otherwise matches - IPs, ports, interfaces, etc.).

 

This logon event could lead to mismatching logged-on FSSO user's traffic to the appropriate firewall policy, since the FortiGate keeps both users' sessions - guest user, and proper FSSO user.

For example, each application in the backend generates traffic towards public IPs (anti-viruses, browsers, etc), it means this 'guest' user could appear immediately once the host is turned on. Later, a domain user logs on to the workstation and generates FSSO logon event. As a result, FortiGate will keep both users sessions.

 

Example 1:

  1. The IP address of the workstation comes from the LAN (port1) interface - 172.20.10.5/24.
  2. There are no other policies, other than 'LAN-To-Internet'.
  3. There is a policy with 'SSO_Guest_Users'.

 

FirewallPolicy-GUest group enabled.png

 

To demonstrate the behavior, the 'guest' user was unauthenticated, and the workstation rebooted.

As a result, some applications generated traffic, and the guest user was populated. A gap in the outputs below was created during the rebooting of the host:

 

diagSniffer.png

 

FSSO_GUestUser.png

 

Example 2:

The user is a member of the 'CN=GR-001' FSSO group. After logging in to the workstation, there are two logon events:

 

FSSO_aduser03.png

 

Example 3: 'solution':

  1. There is no 'SSO_Guest_Users' group in the firewall policy:

 

FirewallPol-No_Guest_User_Gr.png

 

  1. Clear any logon events associated with the IP address:

 

LogonUsers_Filtered.png

 

  1. After restarting the workstation, the domain user was logged on with a latency of 2–3 minutes. There is no 'guest' user logon event anymore:

 

NoGUEST USER.png

 

Related articles:

Technical Note : Details about 'FSSO Guest Users'

Technical Note: Unauthenticated users are not identified as 'guest'
146
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.