Description
On FortiOS firmware v5.2 onwards (5.2, 5.4, 5.6 and 6.0), there is an added feature of implicit fall-through where if there is firewall policies at the bottom without authentication, user will always match the bottom policies even if there are active authentication policies at the top.
This article describes how on firmware 6.2, user can now define and force the authentication to always take place if necessary.
Solution
By default, unauthenticated traffic is permitted to fall through to the next policy.
FortiGate only forces unauthenticated users to authenticate against the authentication policy when there are no other matching policies.
In this version, administrators can force the authentication to always take place.
To set authentication requirement, use the following command:
#config user setting
set auth-on-demand <always|implicitly>
end
Always trigger firewall authentication on demand.
Implicitly (default) - Implicitly trigger firewall authentication on demand.
This is the default setting and the original behavior as per version 5.2, 5.4, 5.6 and 6.0.
Example:
id 1: internal, (subnet1) ---> wan1, (all), service(all), has authentication.
id 2: internal, (subnet1) ---> wan1, (all), service(all), no authentication.
With auth-on-demand set to always, it will always match policy ID 1 and prompt for authentication.
This feature can be set on per-VDOM basis.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD39144
