FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff
Article Id 287319
Description This article discusses the scenario when users do not match the firewall policy that has active authentication.
Scope

Active authentication means that users are prompted to manually enter their credentials before being granted access.

When there are mixing policies with non-active authentication policies, users would meet the non-authentication policy instead by default.

 

Firewall Policy with Non Active AuthFirewall Policy with Non Active Auth

Solution

There are two options to force authentication for these policies. The first option is to configure authentication on each policy as seen below:

 

Firewall Policy with All Active AuthFirewall Policy with All Active Auth

 

The second option is to configure the following setting to force the authentication whenever an authentication policy is present:

 

config user setting
    set auth-on-demand always
end


This would enable the configuration seen in the first screenshot to work as-is.
More details on this option can be seen here: Technical Tip: Active authentication firewall policy fall-through changes.