Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GW
Staff
Staff

Created on ‎04-28-2025 10:33 PM

Article Id 388166

Technical Tip: SSL/TLS deep inspection is required for session-based authentication

Description This article describes what settings are required to configure session-based authentication.
Scope FortiGate v7.0+.
Solution

By default, FortiGate uses IP-based authentication while configuring SAML authentication in a proxy policy.

 

In a certain scenario (such as the end users accessing from a VDI environment), session-based authentication is required, which can be achieved by disabling IP-based, and enabling web-auth-cookie:

 

config authentication rule
    edit "x"
        set ip-based disable
        set web-auth-cookie enable
    next
end

 

SSL/TLS deep inspection allows FortiGate to inspect HTTPS traffic. All the authentication rules based on the web-auth-cookie need to have SSL/TLS deep inspection enabled.

 

When leveraging SAML authentication with FortiGate running as a proxy (both explicit web proxy and transparent web proxy), in addition to the configuration for the IP-based authentication, the following settings need to be applied.

 

  1. Explicit web proxyIt needs to apply deep inspection in the proxy policy.

 

config firewall proxy-policy
    edit 0
        set proxy explicit-web
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
		set logtraffic all
        set groups "SAML"
		set ssl-ssh-profile "custom-deep-inspection" <---
    next
end

 

  1. Transparent web proxyApply deep inspection in the firewall policy:

 

config firewall policy
    edit 0
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
		set utm-status enable
        set inspection-mode proxy
        set http-policy-redirect enable
        set ssl-ssh-profile "custom-deep-inspection" <---
        set nat enable
    next
end

 

A successful session-based authentication with SAML looks like below:

 

fw # diagnose wad user list

ID: 5, VDOM: root, IPv4: 172.16.10.10
  user name   : user1
  worker      : 0
  duration    : 26
  auth_type   : Session
  auth_method : SAML
  pol_id      : 2
  g_id        : 2
  user_based  : 0
  expire      : no
  LAN:
    bytes_in=20289 bytes_out=89310
  WAN:
    bytes_in=78369 bytes_out=13579
568
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.