Re: Force User Authentication over Explicit Proxyy
policy like #2 is not gonna get hit as there is any-any-accept .. easier way without authentication.
So first get rid of any-any-accept stuff .. this is firewall and default rule is deny.
All you configure are exceptions for those you would like to explicitly allow through under some conditions.
Then to apply authentication user for example need to come through port which spawns captive portal.
Or user can be pre-authenticated via FSSO (and for Terminal Servers best equipped with TSAgent), or handle all on session basis via Explicit proxy policies ..
Docs.fortinet.com and Authentication guide has a lot of tips.
Specific scenarios are on Cookbooks site.