One of the previous drawbacks with User Identity policies is that if traffic from an unauthenticated user enters the policy it will be denied by default because it doesn’t match up with any of the user group and therefore falls to policy 0 which denies access to any traffic that reaches it. Allowances have been made so that if you are using User Identity based policies you are not forced to authenticate all users and create a subpolicy for all of the users.

When configuring User Identity policies you can select the option to Skip this policy for unauthenticated user. This policy will only apply to user traffic where the user has already authenticated with the FortiGate unit. As the name of the option implies, this policy will not apply to unauthenticated users and any traffic from unauthenticated uses that makes it through the sequence to this policy will continue on the next policy.

The command line syntax for using this feature is:

Because of this option, User Identity policies can be placed much higher in the sequence than they once were. Now that the policy will no longer interfere with unauthenticated traffic it can be placed so that non user specific policies will not act upon the traffic before it reaches its intended policy.