Skip to main content
Jin-Gyu
Jin-Gyu
Explorer
August 14, 2025
Solved

Get okta authentication when approaching server past Fortigate

  • August 14, 2025
  • 2 replies
  • 745 views

Hi

I'm asking because I have a question when I do okta certification at Fortigate.

 

Diagram is

스크린샷 2025-08-14 162147.png

 

Scenario

When users on INT side access SRV, they must obtain okta certification to access it.

 

Policy

1.

INT > SRV

S : SSO, User IP

D : Server IP

 

2.

INT >  EXT

S : User IP

D : ALL

 

This way, I can access the server after being authenticated.

 

However, ALL is not available in Destination.
So I made okta FQDN and trial.* as destinations, but the authentication screen doesn't show up.

 

Do you know how to set the destination for Okta authentication?

 

Also, I would like to know what traffic flow okta authentication is done when users access the server.

 

Thank you.

 

 

 

 

 

 

 

Best answer by ozkanaltas

Hello @Jin-Gyu ,

 

If I understand correctly, you want to give limited access for the external side, and this access should just be access to Octa services. If you say yes, you can allow these FQDNs on policy for client access to Octa services.

 

*.okta.com *.mtls.okta.com *.oktapreview.com *.mtls.oktapreview.com *.oktacdn.com *.okta-emea.com *.mtls.okta-emea.com *.kerberos.okta.com *.kerberos.okta-emea.com *.kerberos.oktapreview.com *.okta-gov.com *.mtls.okta-gov.com *.okta.mil *.mtls.okta.mil *.awsglobalaccelerator.com okta-featureflag-edge.azureedge.net ocsp.digicert.com crl3.digicert.com crl4.digicert.com

 

 

https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm 

2 replies

ozkanaltas
ozkanaltasAnswer
Valued Contributor III
August 14, 2025

Hello @Jin-Gyu ,

 

If I understand correctly, you want to give limited access for the external side, and this access should just be access to Octa services. If you say yes, you can allow these FQDNs on policy for client access to Octa services.

 

*.okta.com *.mtls.okta.com *.oktapreview.com *.mtls.oktapreview.com *.oktacdn.com *.okta-emea.com *.mtls.okta-emea.com *.kerberos.okta.com *.kerberos.okta-emea.com *.kerberos.oktapreview.com *.okta-gov.com *.mtls.okta-gov.com *.okta.mil *.mtls.okta.mil *.awsglobalaccelerator.com okta-featureflag-edge.azureedge.net ocsp.digicert.com crl3.digicert.com crl4.digicert.com

 

 

https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm 

    Jin-Gyu
    Jin-GyuAuthor
    Explorer
    August 18, 2025

    Thank you for answer : )

    AEK
    SuperUser
    AEK
    SuperUser
    August 14, 2025

    Hi Jin

    This may also help.

    https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-okta-verify-options.htm

    AEK
    Jin-Gyu
    Jin-GyuAuthor
    Explorer
    August 18, 2025

    Thank you for letting me know the reference document.

    Terms & ConditionsAccessibility statement