Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jin-Gyu
New Contributor III

Created on ‎08-14-2025 12:31 AM

Get okta authentication when approaching server past Fortigate

Hi

I'm asking because I have a question when I do okta certification at Fortigate.

 

Diagram is

스크린샷 2025-08-14 162147.png

 

Scenario

When users on INT side access SRV, they must obtain okta certification to access it.

 

Policy

1.

INT > SRV

S : SSO, User IP

D : Server IP

 

2.

INT >  EXT

S : User IP

D : ALL

 

This way, I can access the server after being authenticated.

 

However, ALL is not available in Destination.
So I made okta FQDN and trial.* as destinations, but the authentication screen doesn't show up.

 

Do you know how to set the destination for Okta authentication?

 

Also, I would like to know what traffic flow okta authentication is done when users access the server.

 

Thank you.

 

 

 

 

 

 

 

Labels:
188
0 Kudos
1 Solution
ozkanaltas
Valued Contributor III

Created on ‎08-14-2025 05:33 AM

Hello @Jin-Gyu ,

 

If I understand correctly, you want to give limited access for the external side, and this access should just be access to Octa services. If you say yes, you can allow these FQDNs on policy for client access to Octa services.

 

*.okta.com
*.mtls.okta.com
*.oktapreview.com
*.mtls.oktapreview.com
*.oktacdn.com
*.okta-emea.com
*.mtls.okta-emea.com
*.kerberos.okta.com
*.kerberos.okta-emea.com
*.kerberos.oktapreview.com
*.okta-gov.com
*.mtls.okta-gov.com
*.okta.mil
*.mtls.okta.mil
*.awsglobalaccelerator.com
okta-featureflag-edge.azureedge.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com

 

 

https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
165
4 REPLIES 4
ozkanaltas
Valued Contributor III

Created on ‎08-14-2025 05:33 AM

Hello @Jin-Gyu ,

 

If I understand correctly, you want to give limited access for the external side, and this access should just be access to Octa services. If you say yes, you can allow these FQDNs on policy for client access to Octa services.

 

*.okta.com
*.mtls.okta.com
*.oktapreview.com
*.mtls.oktapreview.com
*.oktacdn.com
*.okta-emea.com
*.mtls.okta-emea.com
*.kerberos.okta.com
*.kerberos.okta-emea.com
*.kerberos.oktapreview.com
*.okta-gov.com
*.mtls.okta-gov.com
*.okta.mil
*.mtls.okta.mil
*.awsglobalaccelerator.com
okta-featureflag-edge.azureedge.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com

 

 

https://help.okta.com/en-us/content/topics/security/ip-address-allow-listing.htm 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
166
Jin-Gyu
New Contributor III
In response to ozkanaltas

Created on ‎08-17-2025 05:51 PM

Thank you for answer : )

93
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎08-14-2025 07:47 AM

Hi Jin

This may also help.

https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-okta-verify-...

AEK
AEK
150
0 Kudos
Jin-Gyu
New Contributor III
In response to AEK

Created on ‎08-17-2025 05:56 PM

Thank you for letting me know the reference document.

89
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.