Created on
10-29-2023
11:38 PM
Edited on
08-28-2025
02:09 AM
By
Jean-Philippe_P
This article describes how to collect and read debug logs output from the proxy service (WAD) when a connection attempt is made using ZTNA Access Proxy TCP-Forwarding with SAML Authentication.
FortiGate running FortiOS versions 7.0+, 7.2+, 7.4+.
The following topology will be used while tracing the debug log entries.
To enable the debug level for the proxy service, the following commands may be used.
diagnose wad debug enable all
diagnose debug application samld -1
diagnose debug enable
Note.
WAD debug filters may be applied to avoid impact on FortiGate System Resources, depending on how much traffic is being proxied by this FortiGate.
WAD debug filters can be used in many variations to narrow down the generated logs on the device.
For example:
diagnose debug console timestamp enable
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose wad debug display pid enable
diagnose wad filter src 192.168.1.1
diagnose wad filter dst 8.8.8.8
To check WAD debug status:
diagnose wad debug show
Category: ssl
Level: verbose
Save debug on crash: disabled
Display: pid enabled
To check WAD debug filters:
diagnose wad filter list
drop unknown sessions: disabled
source ip: 192.168.1.1-192.168.1.1
dest ip: 8.8.8.8-8.8.8.8
Debugging can be enabled with:
diagnose debug enable
To stop debugging:
diagnose debug disable
diagnose debug reset
diagnose wad debug filter clear
In this example, FortiClient received a ZTNA Destination to RDP to server 172.16.1.10:3389 via Proxy Gateway 192.168.10.43:8887.
Virtual Host and then Pattern.
FQDN (DNS query) and IP Address.
For external browsers as user agents, saml-redirect must be enabled via CLI under saml api-gateway.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.