Description
The authentication policy in FortiOS 5.2 by default allows unauthenticated traffic to fall through to the next policy.
note: This is similar to 'skip to next policy' being enabled in FortiOS 5.0
For unauthenticated traffic, the FortiGate (FGT) will continue checking if the traffic matches one of the following policies.
Scenario #1 -- Matching Policy Found for Non-authenticated Traffic
In following example unauthenticated traffic will NOT match SSO_Guest_User (policy 5) and will fall in next policy (#3).
Log:
itime=2014-12-29 13:48:14 vd=root rcvdbyte=633 srccountry=Reserved app=HTTP transip=172.17.97.181 logver=52 date=2014-12-29 dstip=68.67.128.155 duration=54 sentbyte=554 transport=50470 service=HTTP proto=6 devid=FGVM010000016443 poluuid=f55a5a90-71b3-51e4-7240-a4e0e8047289 dstport=80 type=traffic devname=FGTVM52 dtime=2014-12-29 13:48:12 trandisp=snat sessionid=55097 itime_t=1419889694 policyid=3 srcintf=port2 srcip=192.168.1.205 offset_idx=139690533087533 sentpkt=6 level=notice appcat=Not.Scanned srcport=50470 logid=13 subtype=forward rcvdpkt=5 dstcountry=United States time=13:48:12 action=close dstintf=port1
Session info:
session info: proto=6 proto_state=01 duration=0 expire=3599 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
…
statistic(bytes/packets/allow_err): org=434/3/1 reply=92/2/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=172.17.97.254/192.168.1.205
hook=post dir=org act=snat 192.168.1.205:50470->68.67.128.155:80(172.17.97.181:50470)
hook=pre dir=reply act=dnat 68.67.128.155:80->172.17.97.181:50470(192.168.1.205:50470)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=0000d739 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
In this scenario the traffic is not labeled as a guess traffic as it matches a non-authentication policy (#3)
Scenario #2 -- No Matching Policy is Found for Non-authenticated Traffic. SSO_Guest-Users is Used.
Only if no matching policy is found for non-authenticated traffic will SSO_Guest-Users be matched.
In next scenario there is no non-authentication policies after the identity policies and unauthenticated traffic will match SSO_Guest_Users group and it will be labeled accordingly:
Log:
itime=2014-12-09 11:59:27 vd=root rcvdbyte=43927 srccountry=Reserved app=HTTP transip=172.17.97.181 logver=52 date=2014-12-09 dstip=66.171.121.44 duration=14 sentbyte=3502 transport=55813 group=SSO_Guest_Users service=HTTP proto=6 user=guest devid=FGVM010000016443 poluuid=728004de-7fd3-51e4-12a7-c40d48b404ba dstport=80 type=traffic devname=FGTVM52 dtime=2014-12-09 11:59:26 trandisp=snat sessionid=1797961 itime_t=1418155167 policyid=5 srcintf=port2 srcip=192.168.1.111 offset_idx=139720983497005 sentpkt=32 level=notice appcat=Not.Scanned srcport=55813 logid=13 subtype=forward rcvdpkt=39 dstcountry=United States time=11:59:26 action=close dstintf=port1
Session info:
session info: proto=6 proto_state=01 duration=3 expire=3599 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
ha_id=0 policy_dir=0 tunnel=/
user=guest group=SSO_Guest_Users state=log may_dirty authed none app_ntf acct-ext
statistic(bytes/packets/allow_err): org=998/6/1 reply=4382/5/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=172.17.97.254/192.168.1.111
hook=post dir=org act=snat 192.168.1.111:55813->66.171.121.44:80(172.17.97.181:55813)
hook=pre dir=reply act=dnat 66.171.121.44:80->172.17.97.181:55813(192.168.1.111:55813)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 auth_info=4294967295 chk_client_info=0 vd=0
serial=001b6f49 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
