• FortiAuthenticator uses TCP Port 8000 for FSSO communication with FortiGate. To check this, login to FortiAuthenticator -> Fortinet SSO  -> Settings -> FortiGate.

• In FortiAuthenticator starting from firmware 6.4.5 and 6.4.6, there is a new option introduced to 'Enable Encryption' when communicating with FortiGate using FSSO.

Note: In FortiAuthenticator 6.4.5, this is enabled by default. However, in FortiAuthenticator 6.4.6, this needs to be enabled manually, as certificates need to be set up before using it. If not, this will result in the dis-connectivity of FSSO sessions and the FSSO connector in Firewall, will be down.

• In order to use this encryption feature, first issue a certificate and assign it to the FSSO in FortiAuthenticator. In this article, FortiAuthenticator is being used as a Root Certificate Authority, which will issue certificate to FSSO.
  
  
• Go to FortiAuthenticator -> Certificate Management -> Certificate Authority -> Local CAs -> Select Create New.

• Enter the required information in the Local CA certificate creation task and then select OK. Test information is just used for demonstration purposes,one might need to change the values accordingly.

• Once the CA certificate is generated, it will be shown in the list.
  
  
• Now create a Local Service certificate, which will be linked to the FSSO encryption settings in FortiAuthenticator.

• Fill the required information and select the 'Root_CA_1' from the certificate authority list and select OK.

• Now assign this certificate in the encryption settings of FSSO in FortiAuthenticator.
  
  
• Go to FortiAuthenticator -> Select Fortinet SSO  -> Select Settings - > Select FortiGate -> Now on the right hand side, enable 'Enable encryption' and select the recently created FSSO certificate.
  
  
• Then select 'Enable authentication' and enter 'Secret Key'.  Select OK to save the settings.

• At this stage, configurations on the FortiAuthenticator side are almost completed. For the last step, export certificate of the recently created ROOT CA.

Go back to the Local CAs under Certificate Authorities, select the Certificate, and select Export Certificate. 

• A File with the name of certificate will be downloaded automatically. In this case it is named as 'Root_CA_1.crt'.
  
  
• The next step is to import this Root CA to FortiGate 'Remote CA Certificate' list.
  
  
• Login to FortiGate, Select System -> Certificates -> select Create/Import -> Select CA Certificate.

• In the new Window, select File and then select Upload, and select the recently downloaded CA certificate from FortiAuthenticator. Select Open and then select OK.

• The certificate will be listed under 'Remote CA Certificate' list. Double-click on the certificate to show the details. Select close once finished with it.

• Now create a FSSO External connector with FortiAuthenticator. While still logged in to FortiGate, Select Security Fabric -> Select External Connector and select Create New. 

• Enter the Server Name/IP address and the encryption key defined in FortiAuthenticator FSSO settings, then toggle 'Trusted SSL Certificate' and select recently imported Root CA of FortiAuthenticator from the list and then chose 'Apply and Refresh' and then select OK.

Important Note: Encryption key should be the same on both FortiAuthenticator and FortiGate.

• At this stage, it will shown as disconnected, this will be resolved in the next steps.

• Now login to FortiGate CLI and check the configurations of FSSO. The port is changed to 8001.

Basically FortiGate uses TCP Port 8000 for FSSO communication with FortiAuthenticator

• At this stage, manually change the port back to 8000.

FGT (root) # config user fsso

FGT (fsso) # edit Fortiauthenticator

FGT (Fortiauthenticator) # set port 8000

FGT (Fortiauthenticator) # end

FGT (root) #

• Now go back to the GUI console of FortiGate and check the FSSO Agent. It will be shown as connected. The green up arrow will indicate that FSSO is connected successfully.

• Double-click on the FSSO agent settings to check the status.

Important Note: If 'OK' is selected or 'Apply & Refresh' is used in the GUI console, the port will be overwritten to 8001 and the FSSO will be down again. If this occurs, go back to the CLI and change the port to 8000 in FSSO configs.