Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Sheikh
Staff
Staff

Created on ‎10-20-2022 09:57 AM

Article Id 227344

Technical Tip: How to enable encrypted FSSO communication between FortiAuthenticator and FortiGate

Description This article describes the steps to create FSSO connector and enable FSSO Encryption between FortiAuthenticator and FortiGate using certificates.
Scope FortiAuthenticator and FortiGate
Solution

- FortiAuthenticator uses TCP Port 8000 for FSSO communication with FortiGate. To check this, login to FortiAuthenticator - > Fortinet SSO Methods - > General

 

Sheikh_0-1666262151745.png

 

- In FortiAuthenticator firmware 6.4.5 and 6.4.6, there is a new option introduced to 'Enable Encryption' when communicating with FortiGate using FSSO.

 

NoteIn FortiAuthenticator 6.4.5, this is enabled by default but in FortiAuthenticator 6.4.6, this needs to be enabled manually, as certificates needs to be setup before using it. If not, this will result in the dis-connectivity of FSSO sessions and the FSSO connector in Firewall, will be down.

 

- So in order to use this encryption feature, first issue a certificate and assign it to the FSSO in FortiAuthenticator. In this article, FortiAuthenticator is being used as a Root Certificate Authority, which will issue certificate to FSSO.


-  Go to FortiAuthenticator - > Certificate Management - > Certificate Authority - > Local CAs - > Select Create New

 

Sheikh_1-1666262962637.png

 

 

- Enter the required information in the Local CA certificate creation task and then select OK. Test information is just used for demonstration purposes,one might need to change the values accordingly.

 

Sheikh_2-1666263319530.png

 

- Once the CA certificate is generated, it will be shown in the list.

 

- Now create a Local Service certificate, which will be linked to the FSSO encryption settings in FortiAuthenticator.

 

Sheikh_12-1666267748224.png

 

- Fill the required information and select the 'Root_CA_1' from the certificate authority list and select OK.

 

Sheikh_14-1666268266038.png

 

- Now assign this certificate in the encryption settings of FSSO in FortiAuthenticator.

 

- Go to FortiAuthenticator - > Select Fortinet SSO Methods - > Select SSO - > Select General - > Now on the right hand side, enable 'Enable encryption' and select the recently created FSSO certificate.

 

- Then select 'Enable authentication' and enter 'Secret Key'.  Select OK to save the settings.

 

Sheikh_15-1666268748615.png

 

- At this stage, configurations of FortiAuthenticator side are almost completed, as a last step export certificate of the recently created ROOT CA.

Go back to the Local CAs under Certificate Authorities,  select the Certificate and select Export Certificate. 

 

Sheikh_3-1666264530176.png

 

- A File with the name of certificate will be downloaded automatically. In this case it is named as 'Root_CA_1.crt'.

 

- Next step is to import this Root CA to FortiGate 'Remote CA Certificate' list.

 

- Login to FortiGate, Select System - > Certificates - > select Create/Import - > select CA Certificate.

 

Sheikh_6-1666266359894.png

 

 

 - In the new Window, select File and then select Upload and select the recently downloaded CA certificate from FortiAuthenticator and select Open and then select OK.

 

Sheikh_7-1666266552342.png

 

- The certificate will be listed under 'Remote CA Certificate' list. Double Click on the certificate to show the details. Select close once finished with it.

 

Sheikh_8-1666266727652.png

 

- Now create a FSSO External connector with FortiAuthenticator. While still logged in to FortiGate, Select Security Fabric - > Select External Connector and select Create New. 

 

Sheikh_9-1666266973436.png

 

Sheikh_10-1666267028887.png

 

  - Enter the Server Name/IP address and the encryption key defined in FortiAuthenticator FSSO settings, then toggle 'Trusted SSL Certificate' and select recently imported Root CA of FortiAuthenticator from the list and then chose 'Apply and Refresh' and then select OK.

 

Important Note: Encryption key should be the same on both FortiAuthenticator and FortiGate.

 

- At this stage, it will shown as disconnected, this will be resolved in the next steps.

 

Sheikh_11-1666267343636.png

 

 

- Now login to FortiGate CLI and check the configurations of FSSO. The port is changed to 8001.

 

Basically FortiGate uses TCP Port 8000 for FSSO communication with FortiAuthenticator

 

Sheikh_16-1666269298751.png

 

- At this stage, manually change the port back to 8000.

 

FGT (root) # config user fsso

FGT (fsso) # edit Fortiauthenticator

FGT (Fortiauthenticator) # set port 8000

FGT (Fortiauthenticator) # end

FGT (root) #

 

- Now go back to GUI console of FortiGate and check FSSO Agent, It will be shown as connected. Green up arrow shows that FSSO is connected successfully.

 

Sheikh_0-1666277414558.png

 

- Double click on the FSSO agent settings, to check the status.

 

Sheikh_1-1666277501359.png

 

Important Note: If 'OK' is selected or 'Apply & Refresh'  in GUI console, the port will be overwritten to 8001 and the FSSO will be down again. If that is the case then go back to CLI and change the port to 8000 in FSSO configs.

 

695
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.