Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
summer1
Staff
Staff

Created on ‎11-28-2025 01:45 AM Edited on ‎11-28-2025 01:46 AM By Moderator

Article Id 416452

Technical Tip: Tenant filters under custom inline-casb application not honored by certain sites

Description

This article describes the limitations of tenant restrictions enforced on custom applications under inline-casb.
Scope

FortiGate v 7.6.3 or above.

 

Tenant restriction enforced on custom application via inline-casb security profile.

 

Consider the scenario where it is required to restrict the use of personal email login attempts on a particular site(s), but only allow corporate emails.

 

For illustration, only permit the '@fortinet.com' domain on https://github.com/login; prevent login to the other domains on the same site. 

 

allow-ftnt.png

 


block.jpg

 

Screenshot_1.jpg

 

Regardless of the above configuration, end users will still be able to log in to github.com using their personal account, which is not expected.

 

Screenshot_2.jpg

Solution

At the time this article was written, inline CASB custom-app tenant filtration is limited to sites using the application/json format as their content type.

 

Since github.com/login is of application/x-www-form-urlencoded format, tenant checks are bypassed. This can be verified under inline-casb security event & WAD debug log 

 

Inline CASB security event log: 

 

date=2025-09-17 time=18:34:31 eventtime=1758105271778521246 tz="+0800" logid="2500010002" type="utm" subtype="casb" eventtype="casb" level="information" vd="root" policyid=1 poluuid="90194c30-9237-51f0-6c1e-a6253a277323" policytype="policy" sessionid=751232 srcip=10.72.5.128 dstip=20.205.243.166 srcport=60310 dstport=443 srcintf="port3" srcintfrole="undefined" srcuuid="750b364a-8735-51f0-aabf-8d9c37995b4e" dstintf="port2" dstintfrole="undefined" dstuuid="750b364a-8735-51f0-aabf-8d9c37995b4e" proto=6 url="https://github.com/session" action="monitor" profile="testgit" saasapp="github-ftnt" useractivity="github-ftnt-GitHub-Login-Policy" subaction="monitor" tenantmatch="missed" activitycategory="other" msg="CASB access was monitored because it contained activity.

 

WAD debug log:

 

diagnose wad debug enable category casb

diagnose wad debug enable level verbose

diagnose deb enable

 

[I]2025-09-17 19:10:34.999512 [p:23995][s:770654][r:395] wad_casb_prof_ua_proc :1785 app:0x7f4ddd5d5ed8/github-ftnt, ua:0x7f4ddd582940/github-ftnt-GitHub-Login-Policy match:ua-init, tc:ua-init, msg:0x7f4ddd8d8228/req body:(nil)
[V]2025-09-17 19:10:34.999516 [p:23995][s:770654][r:395] wad_casb_str_matcher_simple_match :345 Exact matched: "/session"
[I]2025-09-17 19:10:34.999532 [p:23995][s:770654][r:395] wad_casb_prof_ua_match :1626 Matched! It's cext:0x7f4ddd3ff940
[I]2025-09-17 19:10:34.999535 [p:23995][s:770654][r:395] wad_casb_prof_ua_tc :1711 ua:github-ftnt-GitHub-Login-Policy uae:0x7f4ddb4306f0, cext:0x7f4ddd3ff940, tc_ext:ua-init >>>>>>>>>> custom profile matched
[I]2025-09-17 19:10:34.999537 [p:23995][s:770654][r:395] wad_casb_prof_ua_tc_init :1659 cext procs:B
[I]2025-09-17 19:10:34.999540 [p:23995][s:770654][r:395] wad_http_casb_check_content_type :1373 content type: application/x-www-form-urlencoded not supported 
[I]2025-09-17 19:10:34.999541 [p:23995][s:770654][r:395] wad_casb_prof_check_cext_body :1549 Body is needed, but can not decode.
[I]2025-09-17 19:10:34.999543 [p:23995][s:770654][r:395] wad_casb_prof_ua_tc_init :1689 Can not extract tenant.
[I]2025-09-17 19:10:34.999547 [p:23995][s:770654][r:395] wad_casb_ua_take_action :1314 App:github-ftnt UA:github-ftnt-GitHub-Login-Policy(action monitor) is taking action:monitor
[I]2025-09-17 19:10:34.999549 [p:23995][s:770654][r:395] wad_casb_ua_take_action :1327 App:github-ftnt UA:github-ftnt-GitHub-Login-Policy action_result:prof-done
[I]2025-09-17 19:10:34.999552 [p:23995][s:770654][r:395] wad_http_parse_referer_hline :4486 referer_len 26
[I]2025-09-17 19:10:34.999662 [p:23995][s:770654][r:395] wad_casb_prof_ua_proc :1785 app:0x7f4ddd5d5ed8/github-ftnt, ua:0x7f4ddd580378/github-ftnt-Git-log-policy-login match:ua-init, tc:ua-init, msg:0x7f4ddd8d8228/req body:(nil)
[I]2025-09-17 19:10:34.999666 [p:23995][s:770654][r:395] wad_casb_prof_ua_proc :1795 ua:github-ftnt-Git-log-policy-login not matched.
[I]2025-09-17 19:10:34.999668 [p:23995][s:770654][r:395] wad_casb_prof_apps_proc_continue :1912 App done.
[I]2025-09-17 19:10:34.999669 [p:23995][s:770654][r:395] wad_casb_prof_apps_proc_continue :1928 Check block for next app.

 

Notes:

  • Tenant control on custom applications is only available starting from FortiOS v7.6.3.
  • chesscompass.com/analyze is one site leveraging application/json for login pages. To test the working scenario, ensure appropriate jq filters are applied (ref: JSON JQ filter).
  • Configuring tenant restriction via inline CASB, detailed information about inline-casb, or instructions on extracting appropriate header parameters are beyond the scope of this article. For related steps, refer to the URLs below:
    Support control factors in exchanged JSON data for custom SaaS applications
    Inline CASB

 

66
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.