Description |
This article describes the issue that can be faced when having multiple authenticated policies and having traffic dropped by FortiGate. |
Scope | FotiGate, FortiOS |
Explanation |
There are two policies configured and both are using user authentication.
# config firewall policy set logtraffic all
# config firewall policy edit 101
After the user is authenticated, it shows up as follow:
FGT-A # diagnose firewall auth list 10.1.1.150, test_user
The traffic works when using first policy but fails when using the second policy. |
Solution |
It would help if packets can be captured and reviewed in wireshark.
Captures when accessing INT-1 --> INT-2 traffic:
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
MAC address matches the mac address of the user in auth list.
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
MAC address does not match MAC address of the user in auth list which is causing authentication failure and traffic drops. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.