Skip to main content
julianhaines
julianhaines
Explorer II
October 23, 2024
Question

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

  • October 23, 2024
  • 1 reply
  • 1648 views

Good day,

 

I am setting up Outbound firewall authentication with Microsoft Entra ID as a SAML IdP and have a question about the required Firewall Policies and can't find the answer anywhere, I am following this guide https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/33053

 

I the Firewall policy it says to use "All", "Azure-FW-Auth" for the source which means it will apply to all users, is there a way of targeting only certain devices or IP's?

 

I have tried replaying the "All" with Address Lists with a device's IP and or MAC but when I do this the Firewall Policy stops working and I am not sure why as it should.

 

How would I set up to target only certain devices so I can roll out in stages rather then all in one go?

 

Thanks

1 reply

pminarik
Staff
pminarik
Staff
October 23, 2024

Source IPs and source user/groups are separate configuration fields. A packet must match both criteria to match the firewall policy.

If your firewall policy is set for sources "all" (IPs) + "Azure-FW-Auth" (group), this functionally means "any IP with an authenticated member of this group", without any further IP restriction.

You can certainly narrow this down, e.g. to something like "LAN-subnet" (e.g. defined as a relevant /24) + "Azure-FW-Auth", but you need to make sure that this combination makes sense. (don't set the source-address to a subnet where these user's won't be located)

julianhaines
julianhainesAuthor
Explorer II
October 23, 2024

Hi, thanks for the information, I have tried with an Address IP range of 10.0.6.159-10.0.6.159 but this does not work, I have confirmed this is the device's IP. 

pminarik
Staff
pminarik
Staff
October 23, 2024

Time to run debug flow to check what happens!

 

Identify some easy test target that nobody else will be trying to communicate with (to reduce noise in debugs; e.g. http://www.example.com), then setup debug flow for it:

 

diag debug flow filter port 80

diag debug flow filter addr  93.184.215.14 # www.example.com
diag debug enable
diag debug flow trace start 10

=> try accessing it from the test client device, do this for both test-cases (src-addr "all", and when set to something specific)

 

Then see what's matched.

Terms & ConditionsAccessibility statement