in this case it was DNS traffic from an unauthenticated source hitting a policy with group authentication (FSSO) and being allowed there, it took me a while to remember this is default behaviour.
anyone have a good public source for this btw? i can only find it in the NSE4 training material. the authentication admin guide only states you need to setup a separate DNS allow policy before any authentication policies.
so when i first noticed it i started investigating the fact if the IP wasn't somehow authenticated, why did the fortitgate believe it belonged to that group? diag debug flow is helpful in pointing out results, but not why they are made. i would love to see something that compares the packet to the policy and comes out with source: match, destination: match, authentication group: failed, but DNS so match.
would have saved quite some searching and having doubts about FSSO working correctly again.
and that is just one example, had something similar in the past where the policy choice didn't make sense until i noticed the service config was messed up. again if diag debug flow had shown a match on the service i would have been able to focus on that much quicker.
anyway, in the end both were solved, but i had hoped for a hidden extra flag