Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Implicit proxy + Saml (azure) auth oddity
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implicit proxy + Saml (azure) auth oddity
Hi everyone, bit of a niche problem, I have many students working from home with laptops provided by us, they are hard configured to browse by the proxy we have set and they're locked down to keep it that way, they can browse some times but not all.
- So we have an implicit proxy exposed on the FG's wan interface.
- The proxy is configured to default deny.
- There are proxy policies in place permitting access to Azure for the auth process to succeed which it does
- A default policy is inplace that has the SAML_Group object associated against it to permit the learners access to the web, src=all + SAML_Group, dst=all, security= student-web-filter, Full SSL inspection.
- Clients win11, have the CA cert installed from the gate to their trusted ca stores.
- A session token is provided to the user post auth with 5 minute timeout.
- The user on their laptop can browse the web to certain sites, but then it suddenly blocks them going from say google to whatsmyip.
- In the logs I can see the successful connections are recorded to the UPN user@domain.com etc
- In the default deny log I can see the connection to whatsmyip being blocked and there being no user registered against that specific connection, in this case whatsmyip.
- the whatsmyip site is in a permitted category on the assigned webfilter.
- Proxy settings place the proxy on port 8080 for both http & s.
- http/s sites are being blocked.
Solved! Go to Solution.
Labels:
- Labels:
-
Authentication
-
FortiGate
-
Proxy policy
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I believe I've resolved this one.
It turns out that we had a dns filter configured on the interface to which the ssid was attached. Even though it was a lite-touch dns filter it's presence appears to screw up the known authenticated connections, presumably the Fortigate maybe matching positively a url in the webfilter one minute and then in the DNS filter the next and loosing the authentication information in the process?
I've since removed the DNS filter from the interface under DNS Servers page, left the web-filter in place on the access policy and as a result, access appears to be working as expected, we don't have a tremendous amount of load on it today but nonetheless it's looking positive with all logged traffic being attributed to the respective user.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello zer0kbps,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again!
I found this solution, can you tell me if it helps, please?
It sounds like you are experiencing issues with user sessions and authentication when students are trying to browse the web through the FortiGate proxy. Here are a few areas to investigate that may help resolve the issue:
-
Session Token Timeout: Since the session token has a 5-minute timeout, it is possible that users are being logged out and thus losing their authentication status. This could lead to the proxy denying access to sites after the timeout. You may want to consider increasing the session timeout duration to allow for longer browsing sessions.
-
Proxy Policies: Ensure that the proxy policies are correctly configured and that there are no conflicting policies that could be causing the issue. Double-check that the SAML_Group object and the web filter are correctly applied to allow access to the desired sites, including "whatsmyip."
-
Web Filter Configuration: Although you mentioned that "whatsmyip" is in a permitted category, verify that your web filter settings are not inadvertently blocking access. Check if there are any additional rules or settings that may be affecting access to certain sites.
-
SSL Inspection: Since you are using full SSL inspection, ensure that the inspection is configured correctly. If the SSL inspection is not correctly handling the traffic, it may cause issues with certain HTTPS sites. Make sure that the CA certificate is installed correctly on the client devices and that there are no certificate errors.
-
Logs and Diagnostics: Continue to monitor the logs for any patterns or specific error messages that could provide more insight into why the connections are being blocked. It may also be beneficial to enable detailed logging on the proxy policies to capture more information about denied connections.
-
Network Configuration: Check the network configuration to ensure that there are no routing or firewall rules that could be affecting the traffic flow. Make sure that the FortiGate device can reach the internet without any issues.
-
Client Configuration: Ensure that the proxy settings on the client laptops are correctly configured and that they are pointing to the correct proxy address and port. Any misconfiguration on the client side could lead to inconsistent access.
If you've gone through these areas and are still experiencing issues, you might want to consider reaching out to Fortinet support for more in-depth troubleshooting tailored to your specific setup. They can provide additional insights and help resolve any configuration issues you may be facing.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen similar behavior when using SAML auth with Azure and Fortinet’s implicit proxy—especially if the session tokens aren’t properly cached or the IdP times out during redirection. Double-check your relay state settings and session timeouts. Also, make sure any inspection profiles aren’t stripping SAML headers. Sometimes a slight mismatch in time sync between FortiGate and Azure AD causes oddities too.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I believe I've resolved this one.
It turns out that we had a dns filter configured on the interface to which the ssid was attached. Even though it was a lite-touch dns filter it's presence appears to screw up the known authenticated connections, presumably the Fortigate maybe matching positively a url in the webfilter one minute and then in the DNS filter the next and loosing the authentication information in the process?
I've since removed the DNS filter from the interface under DNS Servers page, left the web-filter in place on the access policy and as a result, access appears to be working as expected, we don't have a tremendous amount of load on it today but nonetheless it's looking positive with all logged traffic being attributed to the respective user.
Labels
-
FortiGate
10,618 -
FortiClient
2,164 -
FortiManager
891 -
5.2
687 -
FortiAnalyzer
681 -
5.4
638 -
FortiSwitch
587 -
FortiClient EMS
564 -
FortiAP
561 -
IPsec
421 -
6.0
416 -
SSL-VPN
380 -
FortiMail
372 -
5.6
362 -
FortiNAC
286 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
196 -
FortiAuthenticator
175 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
77 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
71 -
DNS
71 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
FortiLink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
45 -
Application control
45 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
FortiConnect
35 -
SSL SSH inspection
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
API
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
FortiMonitor
20 -
OSPF
20 -
WAN optimization
20 -
Security profile
19 -
Web rating
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
NAC policy
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2602 | |
| 1384 | |
| 804 | |
| 664 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.