FortiGate populates, and generates a 'guest' user (member of SSO_Guest_Users) logon event, if all three clauses are matched consequently:

1. If an IP is unauthenticated.
2. If it does not match any policy with no auth.
3. If there is a policy with SSO_Guest_Users (which otherwise matches - IPs, ports, interfaces, etc.).

This logon event could lead to mismatching logged-on FSSO user's traffic to the appropriate firewall policy, since the FortiGate keeps both users' sessions - guest user, and proper FSSO user.

For example, each application in the backend generates traffic towards public IPs (anti-viruses, browsers, etc), it means this 'guest' user could appear immediately once the host is turned on. Later, a domain user logs on to the workstation and generates FSSO logon event. As a result, FortiGate will keep both users sessions.

Example 1:

1. The IP address of the workstation comes from the LAN (port1) interface - 172.20.10.5/24.
2. There are no other policies, other than 'LAN-To-Internet'.
3. There is a policy with 'SSO_Guest_Users'.

To demonstrate the behavior, the 'guest' user was unauthenticated, and the workstation rebooted.

As a result, some applications generated traffic, and the guest user was populated. A gap in the outputs below was created during the rebooting of the host:

Example 2:

The user is a member of the 'CN=GR-001' FSSO group. After logging in to the workstation, there are two logon events:

Example 3: 'solution':

1. There is no 'SSO_Guest_Users' group in the firewall policy:

2. Clear any logon events associated with the IP address:

3. After restarting the workstation, the domain user was logged on with a latency of 2–3 minutes. There is no 'guest' user logon event anymore:

Related articles:

Technical Note : Details about 'FSSO Guest Users'

Technical Note: Unauthenticated users are not identified as 'guest'