Skip to main content
fred339
fred339
Explorer III
May 13, 2022
Solved

Setting up Fortigate_80F with access to AD Users and Security Groups with LDAPS with DC redundancy.

  • May 13, 2022
  • 2 replies
  • 10594 views

Fortigate_80F, v6.4.9 build1966(GA)
Since this is the first time setting up a Fortigate, I'm still learning unique terminology and how things work.
My objective with this new machine is to have access to AD Users and AD Security Groups at least.

That would lead to setting up web filters (for example) using AD Security Groups that are set up for that purpose.  With this, we could add new Users in AD and in AD Security Groups and the information would flow to the Fortigate_80F without touching it.  Does that sound reasonable?

I'm afraid I may have put the cart before the horse.  "FSSO" didn't mean anything to me at first attempt.

I set up LDAPS first and that seems to be working.  

But, I now realize more fully that there's this thing "FSSO".....

My understanding of *that* is that Users log into the domain as usual via the DCs and are automatically recognized on the Fortigate.

 

I can read the documentation OK but knowing just *what* to read is like not seeing the forest for the trees.

Had I started with a roadmap, I probably could have done things better the first time.

Right now, the Fortigate can see AD Users but, it seems, not AD Security Groups.  So working toward web filters based on AD Security Groups isn't really possible.

Also, the enterprise has 3 DCs, one domain and I only have one DC involved in this so far.

So, dealing with DC failures (or even reboots perhaps) has to be dealt with.

Is there a broad roadmap of how to best proceed for

Or, any other advice you might give?

 

Best answer by Debbie_FTNT

Hey Fred,

welcome to the Fortinet Community :).

Not the easiest topic you're diving into from the very start, I hope I can break it down a bit for you and provide the tools so you can implement a setup that suits your environment.

To start off:

- FortiGate can match users to different policies based on AD Group membership, as you already found

- for this to work, the FortiGate has to know which users are currently logged in and what IPs they are associated with

-> this can happen through things like explicit/transparent proxy, captive portal, VPN, or FSSO

- In a company with an exisisting AD infrastructure, FSSO usually integrates quite seamlessly

- FSSO works by reading user login events from domain controller in some manner (there are a few different methods) and then adding those users and the workstation/IP they are associated with to its logged-on user list

-> there is an LDAP lookup involved to get group information

-> policies can then be matched based on that group information

 

Here's a forum thread discussing basically the same: https://community.fortinet.com/t5/Fortinet-Forum/First-time-setup-putting-AD-Usernames-Groups-into-Web-Filters/m-p/209869

As a fairly straightforward FSSO setup, you could do the following:
1. set up a Collector Agent on a domain controller, and configure it to poll the relevant domain controllers (pretty good guide here: https://www.fortinetguru.com/2019/05/configuring-the-fsso-collector-agent-for-windows-ad-2/)
2. Set up FortiGate to connect to the Collector Agent (https://docs.fortinet.com/document/fortigate/6.4.9/administration-guide/460616/fortinet-single-sign-on-agent)

You should start seeing users under Dashboard > Users&Devices > Firewall Users (if you toggle FSSO on).
If you don't see any groups, do the following:
- go to Users & Authentication > User Groups, and create a new user group (of type FSSO)

- you should have some groups you can add to the firewall group object
- the groups you can add are the filter groups set in the FSSO connector

Debbie_FTNT_1-1652687230132.png

 

Debbie_FTNT_0-1652687185399.png
You can then use these group objects in policies to ensure users match into the correct policies and webfilter profiles :)
As a tip:  Set up FSSO and groups and everything, but don't add to policies yet. That way you can already see user information, but if anything is misconfigured or missing it won't have any impact. You can check that you have all the user and group information present and there are no issues or unexpected missing users (or logins getting replaced by service accounts for example) and once you're sure the user information is good, then you can add it to the policies to enforce the desired webfilter profiles.
Let us know if anything is still unclear.

2 replies

Anthony_E
Staff
Anthony_E
Staff
May 16, 2022

Hello fred339,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Best Regards
Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
May 16, 2022

Hey Fred,

welcome to the Fortinet Community :).

Not the easiest topic you're diving into from the very start, I hope I can break it down a bit for you and provide the tools so you can implement a setup that suits your environment.

To start off:

- FortiGate can match users to different policies based on AD Group membership, as you already found

- for this to work, the FortiGate has to know which users are currently logged in and what IPs they are associated with

-> this can happen through things like explicit/transparent proxy, captive portal, VPN, or FSSO

- In a company with an exisisting AD infrastructure, FSSO usually integrates quite seamlessly

- FSSO works by reading user login events from domain controller in some manner (there are a few different methods) and then adding those users and the workstation/IP they are associated with to its logged-on user list

-> there is an LDAP lookup involved to get group information

-> policies can then be matched based on that group information

 

Here's a forum thread discussing basically the same: https://community.fortinet.com/t5/Fortinet-Forum/First-time-setup-putting-AD-Usernames-Groups-into-Web-Filters/m-p/209869

As a fairly straightforward FSSO setup, you could do the following:
1. set up a Collector Agent on a domain controller, and configure it to poll the relevant domain controllers (pretty good guide here: https://www.fortinetguru.com/2019/05/configuring-the-fsso-collector-agent-for-windows-ad-2/)
2. Set up FortiGate to connect to the Collector Agent (https://docs.fortinet.com/document/fortigate/6.4.9/administration-guide/460616/fortinet-single-sign-on-agent)

You should start seeing users under Dashboard > Users&Devices > Firewall Users (if you toggle FSSO on).
If you don't see any groups, do the following:
- go to Users & Authentication > User Groups, and create a new user group (of type FSSO)

- you should have some groups you can add to the firewall group object
- the groups you can add are the filter groups set in the FSSO connector

Debbie_FTNT_1-1652687230132.png

 

Debbie_FTNT_0-1652687185399.png
You can then use these group objects in policies to ensure users match into the correct policies and webfilter profiles :)
As a tip:  Set up FSSO and groups and everything, but don't add to policies yet. That way you can already see user information, but if anything is misconfigured or missing it won't have any impact. You can check that you have all the user and group information present and there are no issues or unexpected missing users (or logins getting replaced by service accounts for example) and once you're sure the user information is good, then you can add it to the policies to enforce the desired webfilter profiles.
Let us know if anything is still unclear.

    fred339
    fred339Author
    Explorer III
    May 16, 2022

    Thank you!  Exactly the kind/level of response that I needed.
    I'll proceed with it and let you know how it goes. 

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    May 17, 2022

    Hey Fred,

    glad we were able to help some.

    Let us know if you have any further questions :).

    Terms & ConditionsAccessibility statement