Technical Tip: 'Access Denied' error while session-based authentication with explicit web proxy

When FortiGate runs as an explicit web proxy with session-based authentication, with a typical configuration below, end-users can access most websites except *.microsoft.com:

config firewall proxy-policy     edit 1         set name "Bypass_IdP"         set proxy explicit-web         set dstintf "port2"         set srcaddr "all"         set dstaddr "FAC"         set service "webproxy"         set action accept         set schedule "always"         set logtraffic all     next     edit 2         set name "Auth_User"         set proxy explicit-web         set dstintf "port2"         set srcaddr "all"         set dstaddr "all"         set service "webproxy"         set action accept         set schedule "always"         set logtraffic all         set groups "samlgroup"         set ssl-ssh-profile "custom-deep-inspection"     next end 

 This could be because the wildcard FQDN object 'microsoft' is exempted. 

config firewall ssl-ssh-profile     edit "custom-deep-inspection"         set comment "Customizable deep inspection profile."         config ssl-exempt             edit 23                 set type wildcard-fqdn                 set wildcard-fqdn "microsoft" <---             next         end     next end 

With session-based authentication, SSL/TLS deep inspection is required. However, if there is an object configured under the SSL exemption list, the session-based authentication is skipped. Then the end user got an error of 'Access Denied'.

Therefore, the solution is to remove the relevant object under 'Exempt from SSL Inspection' from the SSL/SSH inspection profile being used.