Skip to main content
akanibek
Staff
akanibek
Staff
February 25, 2026

Troubleshooting Tip: FortiGate - Local-in policy does not show auth-ike-saml-port in the GUI

  • February 25, 2026
  • 0 replies
  • 489 views
Description

This article describes behavior experienced on FortiOS 7.4.11 GA, where the local-in policy does not show all system interfaces with open ports for 'auth-ike-saml-port'.
Scope FortiOS 7.4.11 GA.
Solution

There may be cases where FortiGate should have two interfaces listening for ike-saml-auth-port. It means both interfaces should be listed in the Local-in policy with an action accept. See settings snippet:

 

config system global

    set admin-sport 4443

    set admintimeout 480

    set auth-ike-saml-port 10428<-----

end

 

config system interface

    edit "port1"

        set vdom "root"

        set ip 10.5.14.2 255.255.255.0

        set allowaccess ping https ssh snmp http telnet

        set type physical

        set alias "VL3"

        set ike-saml-server "azure" 

        set lldp-reception enable

        set role wan

        set snmp-index 1

    next

    edit "port2"

        set vdom "root"

        set ip 10.10.205.2 255.255.255.0

        set allowaccess ping ssh

        set type physical

        set alias "WAN"

        set ike-saml-server "azure"  

        set lldp-reception enable

        set role wan

        set snmp-index 2

    next

end      

             

config user saml

    edit "azure"

        set cert "Fortinet_Factory"

        set entity-id "https://vpn.lab.com:10428/remote/saml/metadata"

end

 

However, it is not listed in the GUI of 7.4.11GA. See attached screenshot:

 

local-in_one_port.png

 

There is an issue listing all configured interfaces in the local-in policies. However, ports are open, FortiGate is listening traffic on both interfaces. There is a command to verify it via the CLI:

 

mu-fgt03 # diagnose firewall iprope list | grep -i 10428 -A5 -B14

Policy Group 0010000e

policy index=4294967295 uuid_idx=5 action=accept

flag (1): log

schedule()

cos_fwd=0  cos_rev=0

group=0010000e av=00000000 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0

zone(5): 3 4 10 11 21 -> zone(1): 0

source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

dest(3): 10.5.14.2-10.5.14.2, uuid_idx=0, 10.10.205.2-10.10.205.2, uuid_idx=0,  <----- Interface IPs.

service(1):

        [6:0x4:10500/(0,65535)->(10428,10428)] flags:4 helper:auto <----- auth-ike-saml-port.

 

Technical Tip: FortiGate SAML authentication resource list can be referred to as a SAML resource list. It contains a comprehensive list of resources related to the SAML authentication method as applied to various features in FortiGate. 

 

Related document:

Local-in policy
    Terms & ConditionsAccessibility statement