Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tsug_
New Contributor

Created on ‎03-24-2025 02:55 PM

Fsso and Mixed Policies Firewall Authentication

I have a question about reading the firewall rules.

 

If I have a FSSO rule with an AD "Basic" group and origin all, and BELOW I have a BYPASS rule "all all",

 

which rule will the traffic from the user authenticated by FSSO in the "Basic" group match?

 

Is there any documentation that explains this?

 

Also, if I add an LDAP group to this same FSSO rule, would the behavior be the same?

Labels:
332
0 Kudos
6 REPLIES 6
Jean-Philippe_P
Moderator
Moderator

Created on ‎03-27-2025 01:20 AM

Hello Tsug_, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
272
0 Kudos
jhussain_FTNT
Staff
Staff

Created on ‎03-27-2025 02:44 AM

Hi,

 

If there is a policy without authentication, the firewall will first select the policy without authentication configured to allow the traffic, though the policy with authentication is on top.Kindly refer the below document.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-User-based-policy-not-working/ta-p/198282

 

Regards

Jamal Hussain

258
Tsug_
New Contributor
In response to jhussain_FTNT

Created on ‎03-28-2025 07:17 PM

and with FSSO is the same behavior?

245
0 Kudos
ebilcari
Staff
Staff
In response to Tsug_

Created on ‎03-29-2025 06:05 AM Edited on ‎03-29-2025 06:06 AM

Yes, if the traffic is allowed by another policy it will not match. More details are also shown in this article (same with active or passive authentication).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
222
Severo
New Contributor II

Created on ‎03-30-2025 03:15 AM

n FortiGate firewalls, policies are evaluated sequentially from top to bottom. When a user's traffic matches a policy, that policy is applied, and subsequent policies are not considered. 

In your scenario, if a policy specifically allows traffic for users in the "Basic" Active Directory group via Fortinet Single Sign-On (FSSO) is positioned above a general "all-all" bypass policy, traffic from authenticated users in the "Basic" group will match the FSSO policy first. This means the specific FSSO policy will be applied to their traffic, and the more general bypass policy will not be evaluated for these users. Regarding the inclusion of an LDAP group in the same FSSO policy, FortiGate supports integrating LDAP with FSSO to enhance user authentication and group management. By configuring LDAP servers and defining user groups, you can create policies that apply to users authenticated through both FSSO and LDAP. 

 

203
hpenmetsa
Staff
Staff

Created on ‎03-30-2025 05:50 AM

Hi Tsug,

In FortiGate, firewall policies are processed in a top‐down order, and FSSO is a passive authentication method. This means that if a user is already authenticated, traffic from that user will match the FSSO rule. If the user isn’t authenticated, the FSSO rule won’t match, and the traffic will match the BYPASS rule.

Thanks,
Hari

188
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.