Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Implicit proxy + Saml (azure) auth oddity
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Implicit proxy + Saml (azure) auth oddity
Hi everyone, bit of a niche problem, I have many students working from home with laptops provided by us, they are hard configured to browse by the proxy we have set and they're locked down to keep it that way, they can browse some times but not all.
- So we have an implicit proxy exposed on the FG's wan interface.
- The proxy is configured to default deny.
- There are proxy policies in place permitting access to Azure for the auth process to succeed which it does
- A default policy is inplace that has the SAML_Group object associated against it to permit the learners access to the web, src=all + SAML_Group, dst=all, security= student-web-filter, Full SSL inspection.
- Clients win11, have the CA cert installed from the gate to their trusted ca stores.
- A session token is provided to the user post auth with 5 minute timeout.
- The user on their laptop can browse the web to certain sites, but then it suddenly blocks them going from say google to whatsmyip.
- In the logs I can see the successful connections are recorded to the UPN user@domain.com etc
- In the default deny log I can see the connection to whatsmyip being blocked and there being no user registered against that specific connection, in this case whatsmyip.
- the whatsmyip site is in a permitted category on the assigned webfilter.
- Proxy settings place the proxy on port 8080 for both http & s.
- http/s sites are being blocked.
Solved! Go to Solution.
Labels:
- Labels:
-
Authentication
-
FortiGate
-
Proxy policy
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I believe I've resolved this one.
It turns out that we had a dns filter configured on the interface to which the ssid was attached. Even though it was a lite-touch dns filter it's presence appears to screw up the known authenticated connections, presumably the Fortigate maybe matching positively a url in the webfilter one minute and then in the DNS filter the next and loosing the authentication information in the process?
I've since removed the DNS filter from the interface under DNS Servers page, left the web-filter in place on the access policy and as a result, access appears to be working as expected, we don't have a tremendous amount of load on it today but nonetheless it's looking positive with all logged traffic being attributed to the respective user.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello zer0kbps,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again!
I found this solution, can you tell me if it helps, please?
It sounds like you are experiencing issues with user sessions and authentication when students are trying to browse the web through the FortiGate proxy. Here are a few areas to investigate that may help resolve the issue:
-
Session Token Timeout: Since the session token has a 5-minute timeout, it is possible that users are being logged out and thus losing their authentication status. This could lead to the proxy denying access to sites after the timeout. You may want to consider increasing the session timeout duration to allow for longer browsing sessions.
-
Proxy Policies: Ensure that the proxy policies are correctly configured and that there are no conflicting policies that could be causing the issue. Double-check that the SAML_Group object and the web filter are correctly applied to allow access to the desired sites, including "whatsmyip."
-
Web Filter Configuration: Although you mentioned that "whatsmyip" is in a permitted category, verify that your web filter settings are not inadvertently blocking access. Check if there are any additional rules or settings that may be affecting access to certain sites.
-
SSL Inspection: Since you are using full SSL inspection, ensure that the inspection is configured correctly. If the SSL inspection is not correctly handling the traffic, it may cause issues with certain HTTPS sites. Make sure that the CA certificate is installed correctly on the client devices and that there are no certificate errors.
-
Logs and Diagnostics: Continue to monitor the logs for any patterns or specific error messages that could provide more insight into why the connections are being blocked. It may also be beneficial to enable detailed logging on the proxy policies to capture more information about denied connections.
-
Network Configuration: Check the network configuration to ensure that there are no routing or firewall rules that could be affecting the traffic flow. Make sure that the FortiGate device can reach the internet without any issues.
-
Client Configuration: Ensure that the proxy settings on the client laptops are correctly configured and that they are pointing to the correct proxy address and port. Any misconfiguration on the client side could lead to inconsistent access.
If you've gone through these areas and are still experiencing issues, you might want to consider reaching out to Fortinet support for more in-depth troubleshooting tailored to your specific setup. They can provide additional insights and help resolve any configuration issues you may be facing.
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen similar behavior when using SAML auth with Azure and Fortinet’s implicit proxy—especially if the session tokens aren’t properly cached or the IdP times out during redirection. Double-check your relay state settings and session timeouts. Also, make sure any inspection profiles aren’t stripping SAML headers. Sometimes a slight mismatch in time sync between FortiGate and Azure AD causes oddities too.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, I believe I've resolved this one.
It turns out that we had a dns filter configured on the interface to which the ssid was attached. Even though it was a lite-touch dns filter it's presence appears to screw up the known authenticated connections, presumably the Fortigate maybe matching positively a url in the webfilter one minute and then in the DNS filter the next and loosing the authentication information in the process?
I've since removed the DNS filter from the interface under DNS Servers page, left the web-filter in place on the access policy and as a result, access appears to be working as expected, we don't have a tremendous amount of load on it today but nonetheless it's looking positive with all logged traffic being attributed to the respective user.
Labels
-
FortiGate
10,495 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.