FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
bpozdena_FTNT
Article Id 191415

Description

 

This article describes the differences between built-in 'Global Pre-Filter' and custom 'FortiGate Filter' for FSSO.
To view, create, and modify the FortiGate group filters, Fortinet SSO  -> Filtering -> FortiGate.

fgt_filter.png
 
Scope

 

FortiAuthenticator 6.6.x.


Solution


While seemingly similar, the global pre-filter and custom FortiGate Filter have different effects on how FSSO login information is filtered.
The Global Pre-filter filters login information before it is entered into the FSSO user database on FortiAuthenticator itself. Therefore it is an 'ingress' filter.


This Global Pre-filter is also built-in and cannot be removed, just modified, as by default it has no limitations to any user groups or IPs so it is ready to 'ingest' almost everything. Therefore modifying to filter out unwanted logon information via its details like preferred user groups desired to use for FSSO is recommended.


A list of current FSSO user sessions is visible on Monitor -> SSO -> SSO Sessions.

 

sso.sessions.png
The custom FortiGate Filter, however, filters only login information from FortiAuthenticator's user database and sends matches to the FortiGate.


Therefore, if user login information was filtered out by global pre-filter, it cannot be forwarded further to any FortiGate.
See below the key differences table and the flowchart for more details.

Key differences table:

'Global pre-filter'
Custom 'FortiGate Filter'
Filters login information sent from source (DC/TS Agent, FSSOMA, etc.) to FortiAuthenticator.
Filters logon information sent from FortiAuthenticator to FortiGate(s).
If logon information is not matched it will be discarded and will not appear in FortiAuthenticator or FortiGate FSSO logon list.
If logon information is not matched it will remain in the FortiAuthenticator logon list (Monitor -> SSO -> SSO Sessions), but will not be forwarded to specific FortiGate.
Might not affect which group filter is sent to FortiGate.
User Group Filter is synchronized to FortiGate and stored in config under 'config user adgrp'.

 

The last row in the table has these three implications.

 

  1. All AD groups are ingested if not filtered by Global Pre-filter.

If there is no limit/filter set on which user groups from AD/LDAP will be learned into FortiAuthenticator's FSSO user database.
Then ALL possible user groups from Active Directory are taken into consideration.

  1. FortiGates without filters will receive a complete user database.
    If there is no specific FortiGate Filter, just Global Pre-filter, this filter is sent to connected FortiGate and stored in 'config user adgrp'.
    It also means that logon records, so all FSSO user database records resolved by Global Pre-filter, are sent to such FortiGate (one without a specific filter).

     

     

  2. FortiAuthenticator provides/pushes AD group filter to FortiGate, not receive/listen/pull or sync-in any.

    In contrast to the standalone Collector Agent which can pull the so-called Group Filter from FortiGate (LDAP on FortiGate is used + Advanced mode on Collector is needed), the FortiAuthenticator as Collector Agent does NOT honor and take into account what Group Filter is set on FortiGate. FortiAuthenticator, a centralized IAM, pushes group filters to all connected FortiGate units. Either filters are set for specific FortiGate or Global Pre-filter.

    Therefore there is no need to set LDAP inside the Fabric connector on FortiGate if FortiAuthenticator is the external FSSO collector.
    Even if set, that filter will never be used by FortiAuthenticator.

     

    Points 1 and 2 combined have a possibly negative impact on the configuration of all connected FortiGate unit(s).

    In detail, if there is no group filter set on ingress via Global Pre-filter, then all AD user groups are learned by FortiAuthenticator.

    And if there is a connected FortiGate, without its own specific filter, then it receives all the user database login information and also all the learned user groups.

    As a result 'config user adgrp' config on such FortiGate might get surprisingly filled with hundreds, or thousands, of AD user group records. As all is pushed down to that FortiGate unit.

     

    Therefore it is recommended to limit user groups learned from AD into FSSO via the use of Global Pre-filter to only those intended to be used further down on connected FortiGate unit(s).
    That superset can be divided into a subset(s) via group filters set for specific FortiGate unit(s). Or used as a global set for all FortiGate unit(s) without the need for the specific user group(s).

     

Flowchart:

FAC-FSSO-Filter-flowchart.png
 
Related article:
Comments
Mohsen2000
Staff
Staff

Just a small amendment:

When custom group filter is not configured for FGT, while global pre-filter has group filtered configured, the global group filter will be sent to FGT.