Created on 11-14-2019 06:56 AM Edited on 05-26-2022 07:23 AM By Anonymous
Description
On FortiOS firmware v5.2 onwards (5.2, 5.4, 5.6 and 6.0), there is an added feature of implicit fall-through where if there is firewall policies at the bottom without authentication, user will always match the bottom policies even if there are active authentication policies at the top.
This article describes how on firmware 6.2, user can now define and force the authentication to always take place if necessary.
Solution
#config user settingAlways trigger firewall authentication on demand.
set auth-on-demand <always|implicitly>
end
id 1: internal, (subnet1) ---> wan1, (all), service(all), has authentication.With auth-on-demand set to always, it will always match policy ID 1 and prompt for authentication.
id 2: internal, (subnet1) ---> wan1, (all), service(all), no authentication.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39144
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.