Hello, guys! I have FortiGate 200D v5.6.2 build1486 (GA). I created proxy-policy. I add FSSO group there, but this policy don't work. The policy without FSSO group worked. When I use "diagnose debug authd fsso list", I see correct FSSO logons.
When I use "diagnose debug enable" and "diagnose degug authd fsso server-status", I see my Server Name and Connection Status - connected. Help me please.
Solved! Go to Solution.
This KB have solution. http://kb.fortinet.com/kb...teId=0%200%20117388209
I would suggest following steps
1. flow debug - to check how the traffic from WKS pass the firewall and if intended policy with FSSO is tried to be used
2. packet capture/sniffer to verify source IP and traffic from WKS
3. check if policy matches traffic pattern
4. check if src IP address of the traffic matches to your FSSO records on FGT and that user does belong to firewall-fsso group in policy
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Sorry for my bad english.
[ol]I created policy in "Policy & Objects -> Proxy Policy". Porxy type: Explicit web. Outgoing Interface: "WAN"(Internet).
Enabled on: "LAN" interface. Source: IP address my Workstation and User group. Destination: all.
As intermediary I use "Fortinet-Single-Sign-On Agent".
When I delete "User group" from Source this Proxy Policy worked.
try to check your config against this KB
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36382
!! and as you stated explicit proxy policy, then pay extra attention to "IP Based" part .. in CLI : set ip-based enable
Because by default explicit proxy is session based and uses session cookies and not IP src/port to match traffic against FSSO user list.
If this is not going to resolve, then I'd suggest to login to http://support.fortinet.com portal and open a technical trouble ticket for the issue and provide :
- FGT config backup
- outputs from FSSO troubleshooting [page 185] http://kb.fortinet.com/kb...ubleshooting-40-mr3pdf
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Version my FTG: v5.6.2 build1486 This version haven't "ip-based" command.
This KB have solution. http://kb.fortinet.com/kb...teId=0%200%20117388209
This KB is exactly what I was looking for! It resolved the same issue I had with explicit proxy and FSSO in 5.6!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1768 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.