Created on 12-31-2014 01:45 PM Edited on 06-08-2022 02:14 PM By Anonymous
Description
Question: I have workstations which do not have domain login. Why are they not considered as FSSO guests?
A FortiGate considers a host's traffic as 'Guest' traffic when the traffic matches an authentication policy but the FortiGate has not yet learned authentication details (user & user group) from the collector agent.
This article explores the option 'skip this policy for unauthenticated user" and the implications this has for how unauthenticated traffic is handled.
Another possibility, not covered in this article, is to use NTLM as a fall back for unauthenticated users.
How the FortiGate (FortiOS 5.0) handles this unauthenticated traffic depends on how how the option 'skip this policy for unauthenticated user" is configured.
In this scenario, the FortiGate behavior is the same as it was prior to FortiOS 5.0.
a) If FSSO_Guest_Users is enabled in an identity based rule, the unauthenticated traffic will match that rule . The allowed traffic will be labeled with user='guest' and group= FSSO_Guest_Users.
b) If FSSO_Guest_Users is not specified in a matching rule, then the unauthenticated traffic will be blocked
For example:
Log message:
date=2014-11-27 time=16:01:33 logid =0000000013 type=traffic subtype=forward level=notice vd =root srcip =192.168.1.206 srcport =49171 srcintf ="port2" dstip =142.231.1.167 dstport =80 dstintf ="port1" sessionid =4121 status=close user="guest " group="FSSO_Guest_Users " policyid =3 dstcountry ="Canada" srccountry ="Reserved" trandisp = snat transip =172.17.97.180 transport=49171 service=HTTP proto=6 appid =8001 app=" HTTP.GET.Request " appcat ="VoIP" applist ="default" duration=117 sentbyte =554 rcvdbyte =444 sentpkt =5 rcvdpkt =5 identidx =3 utmaction = passthrough utmevent = webfilter utmsubtype = ftgd -cat urlcnt =1 hostname="ctldl.windowsupdate.com" catdesc ="Information Technology"
Session info:
session info: proto=6 proto_state =11 duration=36 expire=3563 timeout=3600 flags=00000010 sockflag =00000000 sockport =80 av_idx =1 use=4
user=guest group=FSSO_Guest_Users state= redir log local may_dirty ndr authed acct- ext
statistic(bytes/packets/ allow_err :( org=502/4/1 reply=364/3/1 tuples=3
orgin ->sink: org pre->post, reply pre->post dev =4->3/3->4 gwy =172.17.97.254/192.168.1.206
hook=post dir =org act= snat 192.168.1.206:49171->142.231.1.167:80(172.17.97.180:49171)
hook=pre dir =reply act= dnat 142.231.1.167:80->172.17.97.180:49171(192.168.1.206:49171)
hook=post dir =reply act= noop 142.231.1.167:80->192.168.1.206:49171(0.0.0.0:0)
pos /( before,after ) 0/(0,0), 0/(0,0)
misc =0 policy_id =3 id_policy_id =3 auth_info =4294967295 chk_client_info =0 vd =0
serial=00001019 tos = ff / ff ips_view =1 app_list =2000 app=8001
dd_type =0 dd_mode =0
per_ip_bandwidth meter: addr =192.168.1.206, bps=494
In this scenario the behavior is similar to FortiOS 5.2
If no matching authentication rule is found in the current policy, the FortiGate will skip the current firewall policy and continue trying to match another policy.
When the skip option is enabled, "FSSO_Guest_Group" references in authentication rules in this policy will be ignored and should be omitted from the configuration.
Solution
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.