FortiGate SSO Issue: Users Marked as “Orange” After Network Changes
I am facing an issue where some users in the FortiGate firewall appear with an “orange” status instead of the normal connected (blue) state.
When this happens, the affected users experience restricted access, and some applications or websites are blocked.
Our environment is integrated with Active Directory (AD) using authentication (SSO). The issue seems to occur especially when users switch between different network connections, such as Wi-Fi, wired (LAN), or VPN. In these cases, the user’s IP address changes, and the FortiGate appears unable to properly recognize or maintain the authentication session.
We have already attempted the following troubleshooting steps:
- Removed the user from the domain and rejoined
- Reinstalled the FortiGate certificate
However, the issue persists.
Interestingly, when the user connects via a wired network, the status returns to normal (blue), and access is restored.
It appears that during network transitions, the user session becomes inconsistent, causing the FortiGate to mark the user as “orange” and apply restricted policies.
Has anyone experienced this issue before? What could be causing it, and what would be the best approach to resolve it?
