Fail Open

Fail Open specifies whether requests are allowed to proceed for processing when user authentication fails.

When Fail Open is enabled and a Forcepoint Web Security transparent identification agent is configured, if authentication fails and the client is identified by the agent, user-based policy is applied. If the user cannot be identified and a policy is assigned to the client’s IP address, that policy is applied. Otherwise, the Default policy is applied.

Important:

The Fail Open setting does not apply when IWA is the authentication method and the client fails to retrieve a kerberos ticket from the domain controller (DC) because the DC is down.

The Fail Open setting does apply with IWA when IWA falls back to NTLM.

The Fail Open setting does not apply when using LDAP in explicit proxy mode.

Options include:

  • Disabled – specifies that requests do not proceed when authentication failures occur.
  • Enabled only for critical service failures (default) – specifies that requests proceed if authentication fails due to:
    • No response from the domain controller
    • The client is sending badly formatted messages
  • Enabled for all authentication failures, including incorrect password – specifies that requests proceed for all authentication failures, including password failures.
    Important:

    When user authentication is rule-based with a domain list:

    • If Enabled only for critical service failures is selected, when a critical service failure occurs fail open is not applied. An error always results in fail closed.
    • If Enabled for all authentication failures, including incorrect password is selected, after trying basic credentials with every domain in the list, fail open is applied.