Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎10-29-2023 11:38 PM

Article Id 281541

Troubleshooting Tip: How to read FortiGate WAD debugs from ZTNA TCP-Forwarding connection with SAML Authentication

Description

 

This article describes how to collect and read debug logs output from proxy service (WAD) when a connection attempt is made using ZTNA Access Proxy TCP-Forwarding with SAML Authentication.

 

Scope

 

FortiGate running FortiOS versions 7.0+, 7.2+, 7.4+

 

Solution

 

The following topology will be used while tracing the debug log entries.

 

ztna-workflow.png

 

To enable the debug level for the proxy service the following commands may be used.

 

diagnose wad debug enable all

diagnose debug application samld -1

diagnose debug enable

 

Note.
WAD debug filters may be applied to avoid impact on FortiGate System Resources depending on how much traffic is being proxied by this FortiGate 


wad-debug-filter.png

 

In this example, FortiClient received a ZTNA Destination to RDP to server 172.16.1.10:3389 via Proxy Gateway 192.168.10.43:8887.

 

ztna-destination-example.png

 

  1. The endpoint performed an RDP connection to 172.16.1.10:3389. This connection is received from a client on the external IP and external port of ZTNA Server VIP.

 

debug-wad-ztna-1.png

 

  1. FortiGate then requests a Client Certificate, which will be verified by EMS ZTNA Root CA of available EMS Connectors.

 

debug-wad-ztna-2.png

 

  1. Client provides Certificate. If it is not cached on FortiGate, its serial number is shown, and then verified by EMS ZTNA Root CA.

 

debug-wad-ztna-3a.png

 

  1. Client provides Certificate. If it is found in the cache, the action taken is from the cached result.

 

debug-wad-ztna-3.png

 

  1. TLS handshake is completed with WAD and the ticket is offered to the client

debug-wad-ztna-4.png

 

  1.  The client makes the request once the TLS handshake has been completed and authenticated using its ZTNA certificate.

 

debug-wad-ztna-5.png

 

  1. The payload of requests from clients is decapsulated and then the following checks are done in order:
  • API Gateway:
    • Virtual Host and then Pattern.
  • Real Server:
    • FQDN (DNS query) and IP Address.
  • Route lookup to check for destination reachability (if not, likely a '504 Gateway Timeout' is presented).
  • Policy match starts and the source address and interface are checked.

 

debug-wad-ztna-6.png

 

  1. Policy Matching continues after the source address and interface are checked.
  • Device check:
    • ZTNA Certificate Serial Number.
    • ZTNA Tags.
  • Authentication:
    • Authentication Rules.

 

debug-wad-ztna-7.png

 

  1. The authentication process starts once the Authentication rule matches.
  • SAML redirection and captive portal from FortiClient or External Browser is presented:
    • For external browsers as user agents, saml-redirect must be enabled via CLI under saml api-gateway.
  • After successful authentication with IdP and WAD, the original request is again sent with the SAML cookie.

 

debug-wad-ztna-8.png

 

  1.  After the authentication, the process is completed.
  • FortiGate establishes the connection to the Real Server:

 

debug-wad-ztna-9.png

 

  • Then upgrades connection, switches protocols if needed, and data starts passing between client and server protected via ZTNA Access Proxy:

 

debug-wad-ztna-9b.png 

debug-wad-ztna-9c.png

1772
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.