Skip to main content
GWFortinet
Staff
GWFortinet
Staff
April 29, 2025

Technical Tip: SSL/TLS deep inspection is required for session-based authentication

  • April 29, 2025
  • 0 replies
  • 825 views
Description This article describes what settings are required to configure session-based authentication.
Scope FortiGate v7.0+.
Solution

By default, FortiGate uses IP-based authentication while configuring SAML authentication in a proxy policy.

 

In a certain scenario (such as the end users accessing from a VDI environment), session-based authentication is required, which can be achieved by disabling IP-based, and enabling web-auth-cookie:

 

config authentication rule     edit "x"         set ip-based disable         set web-auth-cookie enable     next end

 

SSL/TLS deep inspection allows FortiGate to inspect HTTPS traffic. All the authentication rules based on the web-auth-cookie need to have SSL/TLS deep inspection enabled.

 

When leveraging SAML authentication with FortiGate running as a proxy (both explicit web proxy and transparent web proxy), in addition to the configuration for the IP-based authentication, the following settings need to be applied.

 

  1. Explicit web proxyIt needs to apply deep inspection in the proxy policy.

 

config firewall proxy-policy     edit 0         set proxy explicit-web         set dstintf "port3"         set srcaddr "all"         set dstaddr "all"         set service "webproxy"         set action accept         set schedule "always" 		set logtraffic all         set groups "SAML" 		set ssl-ssh-profile "custom-deep-inspection" <---     next end

 

  1. Transparent web proxyApply deep inspection in the firewall policy:

 

config firewall policy     edit 0         set srcintf "port1"         set dstintf "port2"         set action accept         set srcaddr "all"         set dstaddr "all"         set schedule "always"         set service "ALL" 		set utm-status enable         set inspection-mode proxy         set http-policy-redirect enable         set ssl-ssh-profile "custom-deep-inspection" <---         set nat enable     next end

 

A successful session-based authentication with SAML looks like below:

 

fw # diagnose wad user list  ID: 5, VDOM: root, IPv4: 172.16.10.10   user name   : user1   worker      : 0   duration    : 26   auth_type   : Session   auth_method : SAML   pol_id      : 2   g_id        : 2   user_based  : 0   expire      : no   LAN:     bytes_in=20289 bytes_out=89310   WAN:     bytes_in=78369 bytes_out=13579
    Terms & ConditionsAccessibility statement