Authentication Policy Extensions
In 6.0, if you defined an authentication policy for specific traffic, then you might need to exclude the destination from the default implicit policy, otherwise, the implicit rule might allow unauthenticated users go to through. This new option forces the authentication to take precedence over subsequent rules without having to create additional policies.
By default, unauthenticated traffic is permitted to fall through to the next policy. FortiGate only forces unauthenticated users to authenticate against the authentication policy when there are no other matching policies. In this version, administrators can force the authentication to always take place.
To set authentication requirement:
config user setting set auth-on-demand <always|implicitly> end
Always trigger firewall authentication on demand.
Implicitly trigger firewall authentication on demand. This is the default setting and the original behavior.
You can only use CLI to configure this feature. See the following example.
config user setting set auth-on-demand always end
config firewall policy edit 1 set name "QA to Database" set srcintf "port10" set dstintf "port9" set srcaddr "QA_subnet" set dstaddr "Database" set action accept set schedule "always" set service "ALL" set fsso disable set groups "qa_group" set nat enable next edit 2 set name "QA to Internet" set srcintf "port10" set dstintf "port9" set srcaddr "QA_subnet" set dstaddr "all" set action accept set schedule "always" set service "ALL" set fsso disable set nat enable next end