What is the difference between Authenticate and Force Authenticate policy actions?


<< Back to Knowledge Search

Solution

Overview

Authenticate (default):

The default Authenticate action WILL NOT authenticate the user if during policy evaluation the request also matches a deny rule. The purpose of using the Authenticate action is for efficiency. The logic is that since it has already been determined that the request will be denied, the ProxySG will not go through the additional steps to authenticate the user which saves time and resources on the ProxySG. Proxy administrators who DO NOT need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will choose this option for performance purposes. 
 

Force Authenticate:

The Force Authenticate action WILL authenticate the user even when the request also matches a deny rule. The purpose of using Force Authenticate is to ensure that usernames are logged even when the request will be denied. Proxy administrators who DO need to enforce an internet security policy that requires that they identify users attempting to access blocked sites will use this option for security purposes.


Additional use information:
Keep in mind that even when using the default Authenticate action, if policy has web access layer rules that include domain user/group based conditions and those rules are evaluated before reaching a deny rule with NO domain user/group based condition, authentication will still proceed in order to determine whether or not the said user/group based conditions match. However, if the request matches a deny rule and no rules with domain user/group based conditions are evaluated, this is when using the default Authenticate action will deny the request without proceeding to authenticate the user.

Example #1:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Authenticate (default)

[Web Access Layer]
Rule #1: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL NOT BE authenticated because it matched a default Authenticate rule and no domain user/group base rule was evaluated.

Example #2:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Authenticate (default)

[Web Access Layer]
Rule #1: Source=User1, Destination=category=suspicious, Action=DENY
Rule #2: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL BE authenticated to determine the username since Web Access Layer rule #1 has a user based condition. 

Example #3:
[Web Authentication Layer]
Rule #1: Source=Any, Destination=Any, Action=Force Authenticate

[Web Access Layer]
Rule #1: Source=Any, Destination=category=suspicious, Action=DENY

Result: A request for a suspicious site WILL BE authenticated because a Force Authenticate action is matched even though there are no domain user/group based rules.

 

Cause
Resolution
Workaround
Additional Information
Bug Number
InQuira Doc IdFAQ2226
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      09/21/2015
Last Published      09/21/2015
Article Audience
Product      ProxySG
Topic      Authentication
Article Number      000015360
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat