Skip to main content
fmuianga
fmuianga
New Member
February 13, 2018
Question

Internet Access using FSSO

  • February 13, 2018
  • 2 replies
  • 8177 views

Good afternoon,

My firewall is giving access to the Internet to machines that receive the IP that the user with permission used, even though it is a local account it goes to the internet because the IP is recognized in the firewall as the IP of a user with Internet access. I tried to diagnose debug authd fsso clear-logons to clear the cache but the problem prevails.

 

Let me list the configurations that i did:

1. I installed de FSSO software in domain controller to sync the AD users groups; 2. I created users groups in firewall maped to AD users groups; 3. I created policy IPv4 with the folow information: Name: Full_Access_Users Incoming Interface: Internal (port1) Outgoing Interface: sd-wan Source: all & DSI(users group) Destination: all Schedule: always Service: ALL

 

The policy is the second counting from top to bottom.

The machine that is not in domain but have the IP thats is recognized by firewall as IP of user with internet access is going to internet for this policy and in fortiview apear the user and that IP going to internet.

 

I want to block internet access for local users and for users that arent authenticated in my AD.

 

2 replies

xsilver_FTNT
Staff
xsilver_FTNT
Staff
February 13, 2018

Hi,

so if I summarize your issue, then some users are stealing IP addresses of already authenticated users known through FSSO, and so those impersonate and pass the firewall as someone else misusing the access privileges of original FSSO user.

 

That is not a fault of FSSO but flaw of the technology itself.

If you do allow the misuse or have misconfigured DNS, this can happen.

Keep in mind that FSSO is at the end source IP pre-authorization.

 

I see two possible scenarios:

---

 

A) original user is logged off and new user was simply provided with IP of the previous user.

In this case new user get unintentionally access according to old user's access privileges, simply because logoff was not detected, or workstation check failed or was not run fast enough.

Solutions:

- retention on DHCP, to keep recently released IPs a bit longer inside and do not provide them back to newcomers so easily

- shorten workstation checks

- use WMI logoff detection on standalone Collector Agent (by default is turned on)

 

B) new user stole IP of previous FSSO user to gain access

Just a few mitigation hints .. 

- shorten the workstation checks and so user should not pass verification of his existence in AD

- secure DHCP so it's not going to assign IPs to everyone

- split ranges of assigned IPs from DHCP to guests/others and AD computers so then simple source IP in policy will eliminate those out of AD

- make DHCP semi-static, assign static (always the same) IP per MAC to known workstations and reject others

 

If you wont a stronger authentication then switch to port based identity .. 802.1x !

 

King regards,

Tomas

 

fmuianga
fmuiangaAuthor
New Member
February 13, 2018

Thank you for analyzing and for sparing me some aspects

 

Regards,

Frederico Muianga

RachelGomez123
RachelGomez123
New Member
December 2, 2022

Follow the Step-by-Step Guide given below for Fortigate Single Sign-On (FSSO)
Configure Fortinet in miniOrange. Login into miniOrange Admin Console. 
Configure SSO in Fortinet Admin Account. Login to Fortigate as an admin. 
Test SSO Configuration. 
Configure Your User Directory (Optional) 
Adaptive Authentication with Fortinet.

 

Regards,

Rachel Gomez

Terms & ConditionsAccessibility statement