Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
acvaldez
Staff
Staff

Created on ‎10-01-2024 12:55 AM Edited on ‎09-08-2025 07:30 AM By Community Manager

Article Id 345977

Technical Tip: SSL exemption in Secure Web Gateway (SWG) scenarios with SAML SSO authentication.

Description This article describes details about SWG Policies with SSO (SAML) authentication.
Scope FortiSASE.
Solution

When configuring an SWG policy with SSO authentication, it is essential to use a Security Profile Group that includes Deep Inspection.

See this example configuration at Configuration -> SWG Policy.

 

profile that is not using deep inspection.png

 

Go under Configuration -> Security -> Profile Group drop-down.

 

profile that is not using deep inspection - v2.png

 

 

With this configuration, the implicit deny policy will be hit for HTTPS (SSL/TLS) pages, whereas plaintext HTTP pages work fine. Check the logs at Analytics -> Logs -> Traffic

Filter using the known IP address of the SWG client to check the traffic.

 

you will keep hitting the implicit deny .png

 

Using the same example IP above, enable debugging on the CLI like this:

 

diagnose debug console timestamp enable

diagnose wad filter src 126.143.20.82 <----- This is to filter debug for one specific IP only, which is useful in busy environments.

diagnose wad debug enable category all

diagnose debug enable


This may show output as follows:

 

[I]2025-09-08 08:42:48.800146 wad_fw_policy_check_user :5819 L7 auth is skipped for DI.
[I]2025-09-08 08:42:48.800148 wad_fw_policy_async_match :648 pol_ctx:xhcf|Ac2d|7?|=d
[I]2025-09-08 08:42:48.800153 wad_http_req_policy_set :10482 match policy-id=0(pol_ctx:xhcf|Ac2d|7?|=d) vd=0(ses_ctx:x|Ph|Mde|Hh|C|A7|O) (126.143.20.82:49582@3 -> 2.18.40.162:443@4)
[E]2025-09-08 08:42:48.800161 wad_http_req_proc_policy :10422 POLICY DENIED
[V]2025-09-08 08:42:48.800178 wad_http_req_exec_tunnel_convert :5206 hs=0x7f5df3aba4e8 ssl_proc=dbk intercept=block_req deep_scan=1 ret=1


End users will see browser messages similar to the following:

 

'Access Denied'

'The page you requested has been blocked by a firewall policy restriction.'


When a Security Profile with Deep Inspection is applied to the SWG policy (in addition to another Security Profile like AV or web filtering), the correct policy will successfully match. However, ensure that the FortiGate certificate is installed on the user's machine for proper functionality.

 

Go to Configuration -> SWG Policy.

 

policy used deep inspection profile.png

Note: A Deep Inspection profile includes exemptions at least for these categories:

 

  • 'Finance and Banking'.
  • 'Health and wellness'.

2024-11-10_15h48_29.png

 

All SSL exemptions need to be removed. Otherwise, pages of these categories that require authentication will hit the implicit deny policy as well. That also means that if SSL exemptions are required, the authentication requirement (typically a user group) on the policy needs to be removed.

 

Go under Configuration -> Security -> Profile Group drop-down.

 

profile using deep inspection.png

 

user be able to be detected .png

 

user be able to be detected .png
Labels:
624
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.