When a FortiGate firewall policy is configured with active authentication, which protocol must be allowed for user access even if authentication fails?

The correct choice is DNS because, in scenarios involving active authentication on a FortiGate firewall, it's essential for the firewall to maintain basic network services even when user authentication fails. DNS (Domain Name System) is crucial for name resolution, which allows users to access websites and services using domain names instead of IP addresses.

If DNS is blocked and a user's authentication fails, they may not be able to resolve the names of the sites they want to visit, effectively causing a communication breakdown. In contrast, protocols like HTTP, HTTPS, and FTP rely on successfully establishing sessions after authentication. Allowing DNS ensures that clients can still resolve domain names to access services, which is an important functional requirement even when user access is restricted. This consideration is critical in maintaining a certain level of connectivity for users while adhering to security policies.