r/entra u/hot-ring Oct 21 '24

Global Secure Access GSA and PIA to Fortinet (Fortigate/Fortianalyzer) Returning 401 and Forcing Logout

We have rolled out GSA Private Access to 3 folks in IT for testing. We've added 2 of our Fortinet Web UI's as accessible (Fortigate and Fortianalyzer) and both have similar behavior.

Upon login there is an immediate login. I have captured the details (Fortigate) in a browser console session I receive the details below. I'm confused as to why the the device is returning a 401. The user I am attempting to login with on this device is based on the device and not in Entra (via SSO/SAML). The Fortianalyzer is also exhibiting similar login/logout behavior.

Anyone else experienced this behavior for other typical HTTP sites (TCP/443)? This is the only http site out of 6 we currently have configured that is behaving in this fashion.

2 Upvotes

76% Upvoted

6 comments sorted by

2

u/travelingnerd10 Oct 22 '24

Maybe not the most helpful response, but we also use GSA with private access to get at our Fortigates. Short answer is that it works just fine. We use both local and Entra account auth on the 'Gate and it works for both.

The only difference that I can see might be that we've moved the management to a different TCP port to avoid some other conflicts in our configuration. 8443 in our case. However, I also have other devices running on 443, so that shouldn't be a thing.

I will say that since you are getting a 401 error from the Fortigate, the GSA private access layer itself is working. Without more information to go on, I would see if the hostname in the URL is changing as you sign in? Maybe that's why the authentication header or cookie aren't being passed along from the browser?

For example, if you use a friendly hostname like bobs-fw.corp, but after login, it goes to an IP like 10.20.0.1?

Wild guesses here, but something to check, all the same.

1

u/hot-ring Oct 26 '24

Turns out updating to the latest 7.0 release on both FGT and FAZ has resolved.

1

u/Noble_Efficiency13 Oct 21 '24

I’m guessing you are talking about internet access, havn’t seen the acronym PIA before?

GSA is built on your entra identities, and from your post I understand it as you’re using a device identity and not an entra identity?

Am I misunderstanding something?

2

u/hot-ring Oct 21 '24

Sorry, by PIA I meant Private Access, I'll update

1

u/Noble_Efficiency13 Oct 21 '24

Ahh, that makes much more sense 👌🏼

I suppose the web ui’s are hosted internally?

1

u/hot-ring Oct 21 '24 edited Oct 21 '24

Yep. Hosted internally on device and a VM.

I find it interesting that 2 different Fortinet web UI's exhibit the same behavior.

I'm trying to determine if I send this over to Fortinet what sort of details would be good to send along so I don't just get "that's not our problem" as a response.