Fortinet VPN SSO/MFA

Hi All,

Hoping you guys can help me with something.

We decently introduced a new forticlient vpn connection with SSO and Azure MFA.

There is a CA policy in Azure setup and working as expected.

The feedback I have gotten from a few dozen users (out of 250) is that a couple of the internal apps ( all web based) are spinning or not loading while on this new vpn sso connection yet it doesn’t happen on the old non sso connection (we have both connections still listed in Forticlient).

Behavior is sporadic and hard to duplicate. Fortinet support says nothing in firewall policies are blocking any traffic.

Packet captures haven’t revealed much either. I don’t know how this new connection would cause issues as all its doing is just prompting for mfa and authenticating via Azure AD.

Any thoughts? Or perhaps some troubleshooting steps that I should dig into further?

The authentication method shouldn’t impact the actual traffic. Have you made sure that the new SAML groups are in your policies so the traffic is allowed correctly?

Yup. I mirrored the setup to the laptop group setup and added the saml groups to all those policies. I had a colleague spot check as well.

It’s just odd behavior and CIO keeps pushing to dig more into it. It could be just the normal internal app behavior as well but I can’t really confirm or know how to confirm it.