Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor III

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

Good day,

 

I am setting up Outbound firewall authentication with Microsoft Entra ID as a SAML IdP and have a question about the required Firewall Policies and can't find the answer anywhere, I am following this guide https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/33053

 

I the Firewall policy it says to use "All", "Azure-FW-Auth" for the source which means it will apply to all users, is there a way of targeting only certain devices or IP's?

 

I have tried replaying the "All" with Address Lists with a device's IP and or MAC but when I do this the Firewall Policy stops working and I am not sure why as it should.

 

How would I set up to target only certain devices so I can roll out in stages rather then all in one go?

 

Thanks

3 REPLIES 3
pminarik
Staff
Staff

Source IPs and source user/groups are separate configuration fields. A packet must match both criteria to match the firewall policy.

If your firewall policy is set for sources "all" (IPs) + "Azure-FW-Auth" (group), this functionally means "any IP with an authenticated member of this group", without any further IP restriction.

You can certainly narrow this down, e.g. to something like "LAN-subnet" (e.g. defined as a relevant /24) + "Azure-FW-Auth", but you need to make sure that this combination makes sense. (don't set the source-address to a subnet where these user's won't be located)

[ corrections always welcome ]
julianhaines

Hi, thanks for the information, I have tried with an Address IP range of 10.0.6.159-10.0.6.159 but this does not work, I have confirmed this is the device's IP. 

pminarik

Time to run debug flow to check what happens!

 

Identify some easy test target that nobody else will be trying to communicate with (to reduce noise in debugs; e.g. http://www.example.com), then setup debug flow for it:

 

diag debug flow filter port 80

diag debug flow filter addr  93.184.215.14 # www.example.com
diag debug enable
diag debug flow trace start 10

=> try accessing it from the test client device, do this for both test-cases (src-addr "all", and when set to something specific)

 

Then see what's matched.

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors