FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tsimeonov_FTNT
Article Id 194304

Description
Question: I have workstations which do not have domain login.  Why are they not considered as FSSO guests?

A FortiGate considers a host's traffic as 'Guest' traffic when the traffic matches an authentication policy but the FortiGate has not yet learned authentication details (user & user group) from the collector agent.

This article explores the option 'skip this policy for unauthenticated user" and the implications this has for how unauthenticated traffic is handled.

Another possibility, not covered in this article, is to use NTLM as a fall back for unauthenticated users.

***


How the FortiGate (FortiOS 5.0) handles this unauthenticated traffic depends on how how the option 'skip this policy for unauthenticated user" is configured.

Option 1: 'Skip this policy for unauthenticated user' is disabled.


In this scenario, the FortiGate behavior is the same as it was prior to FortiOS 5.0.

a) If FSSO_Guest_Users is enabled in an identity based rule, the unauthenticated traffic will match that rule . The allowed traffic will be labeled with user='guest' and group= FSSO_Guest_Users.

b) If FSSO_Guest_Users is not specified in a matching rule, then the unauthenticated traffic will be blocked

For example:
Tsvetan_50Guest1.jpg

Log message:

date=2014-11-27 time=16:01:33 logid =0000000013 type=traffic subtype=forward level=notice vd =root srcip =192.168.1.206 srcport =49171 srcintf ="port2" dstip =142.231.1.167 dstport =80 dstintf ="port1" sessionid =4121 status=close user="guest " group="FSSO_Guest_Users " policyid =3 dstcountry ="Canada" srccountry ="Reserved" trandisp = snat transip =172.17.97.180 transport=49171 service=HTTP proto=6 appid =8001 app=" HTTP.GET.Request " appcat ="VoIP" applist ="default" duration=117 sentbyte =554 rcvdbyte =444 sentpkt =5 rcvdpkt =5 identidx =3 utmaction = passthrough utmevent = webfilter utmsubtype = ftgd -cat urlcnt =1 hostname="ctldl.windowsupdate.com" catdesc ="Information Technology"


Session info:

session info: proto=6 proto_state =11 duration=36 expire=3563 timeout=3600 flags=00000010 sockflag =00000000 sockport =80 av_idx =1 use=4

user=guest group=FSSO_Guest_Users state= redir log local may_dirty ndr authed acct- ext

statistic(bytes/packets/ allow_err :( org=502/4/1 reply=364/3/1 tuples=3

orgin ->sink: org pre->post, reply pre->post dev =4->3/3->4 gwy =172.17.97.254/192.168.1.206

hook=post dir =org act= snat 192.168.1.206:49171->142.231.1.167:80(172.17.97.180:49171)

hook=pre dir =reply act= dnat 142.231.1.167:80->172.17.97.180:49171(192.168.1.206:49171)

hook=post dir =reply act= noop 142.231.1.167:80->192.168.1.206:49171(0.0.0.0:0)

pos /( before,after ) 0/(0,0), 0/(0,0)

misc =0 policy_id =3 id_policy_id =3 auth_info =4294967295 chk_client_info =0 vd =0

serial=00001019 tos = ff / ff ips_view =1 app_list =2000 app=8001

dd_type =0 dd_mode =0

per_ip_bandwidth meter: addr =192.168.1.206, bps=494

 

Option 2: 'Skip this policy for unauthenticated user' is enabled.


In this scenario the behavior is similar  to FortiOS 5.2

If no matching authentication rule is found in the current policy, the FortiGate will skip the current firewall policy and continue trying to match another policy.

When the skip option is enabled, "FSSO_Guest_Group" references in authentication rules in this policy will be ignored and should be omitted from the configuration.


Solution



Contributors