Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkoprusak
Staff
Staff

Created on ‎01-19-2026 02:43 AM

Article Id 427031

Technical Tip: How to build a proxy policy matching the CORS preflight request

 

Description

This article describes a side effect of a new feature, 'Support CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive portal-enabled SAML authentication', introduced in FortiOS v7.0.6 and v7.2.1.

 

This feature may appear to allow communication via an unexpected policy showing no authenticated user information in the traffic logs. This unexpected policy would be the first one matching the SRC_IP, DST_IP, and service, while the authorization criteria will be omitted.

 

When troubleshooting the communication using the following diagnostic commands:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose wad debug enable category policy
diagnose wad debug enable category auth
diagnose wad debug enable level verbose
diagnose debug enable

 

The following messages will appear in the output:

 

[V]2025-01-13 14:10:45.729232 [p:274][s:1755009540][r:4497] wad_http_parse_auth_cookie :1306 cookie_parsed=0 strip=1 pid=274
[I]2025-01-13 14:10:45.729267 [p:274][s:1755009540][r:4497] wad_http_req_get_user :11977 cookie_redir=0/0 user_found=0
[V]2025-01-13 14:10:45.729284 [p:274][s:1755009540][r:4497] wad_hauth_is_auth_id_request :1977 called
[I]2025-01-13 14:10:45.729299 [p:274][s:1755009540][r:4497] wad_http_req_get_user :11995 Bypass preflight request.
[I]2025-01-13 14:10:45.729314 [p:274][s:1755009540][r:4497] wad_fw_policy_async_match :6262 pol_ctx:xhf|Acd|7|=d
[I]2025-01-13 14:10:45.729330 [p:274][s:1755009540][r:4497] wad_http_req_policy_set :10791 match policy-id=<unexpected policy ID>(pol_ctx:xhf|Acd|7|=d) vd=0(ses_ctx:cx|Ph|Mde|Hte|C|A1|Og) (x.x.x.x:pppp@10 -> y.y.y.y:443@11)
Scope FortiGate, explicit proxy with SAML authentication.
Solution

To control this traffic, build the proxy policy using the following address object:

 

config firewall proxy-address
    edit "http-cors-prefilght"
        set type src-advanced
        set host "all"
        set method options
            config header-group
                edit 1
                    set header-name "Origin"
                    set header ".*"
                next
            end
    next
end

 

config firewall proxy-policy
    edit <policy ID>
        set proxy explicit-web
        set dstintf "<WAN interface>"
        set srcaddr "http-cors-preflight"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next

 

And place this rule at the top of the proxy policies.

 

Related document:

Support CORS protocol in explicit web proxy when using session-based, cookie-enabled, and captive po...
83
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.