Technical Tip: ZTNA proxy with SAML authentication for RDP does not work consistently with set wad-restart-mode time configuration
| Description | This article describes an under-investigation issue causing inconsistent behavior in ZTNA proxy access using SAML authentication for RDP if the wad-restart-mode time is configured. |
| Scope | FortiOS v7.4.x. |
| Solution | The issue occurs if a wad-restart-mode is configured.
config sys global set wad-restart-end-time 02:00 set wad-restart-mode time set wad-restart-start-time 01:00 end
config system global set wad-restart-mode memory end
These restarts affect WAD workers only; see this article: Technical Tip: Automatically restart WAD worker processes.
This restart removes the SAML context for the worker, disrupting SAML-related ZTNA functionality until all WAD processes are manually restarted using 'diagnose test application wad 99'.
Workaround: The issue can be cleared once it occurs by restarting all wad processes (not just wad workers). See the article Technical Tip: How to restart the WAD process.
diagnose test application wad 2000 diagnose test application wad 99
The issue can be prevented by changing wad-restart-mode to none:
config sys global set wad-restart-mode none end
There are alternative methods to restart WAD processes to mitigate suspected memory leaks. See the article Technical Tip: How to restart WAD process on a specific day and time using an automation stitch.
Resolution: This issue is tracked by Issue ID# 1254981 and is scheduled for resolution in the upcoming FortiOS v7.6.7 and v8.0.0.
Related document: ZTNA application gateway with SAML and MFA using FortiAuthenticator example |