FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tsimeonov_FTNT

Description
Prior to FortiOS v5.2.3, FortiGates only supported the use of Windows Active Directory (AD) security groups under FSSO group filter options.

Starting with FortiOS firmware 5.2.3 and  Collector Agent v5.0.0229, FortiGates also support filtering based upon organization units (OU).

Here a sample of FSSO group filter configuration using OUs and AD security groups.
Note: The following example is based upon FortiOS 5.2.3 and collector agent v5.0.0237

Configuration Steps

1. On the collector agent (CA) and under 'Set group filter' , select and add OU container(s) . 

Tsvetan_FSSO_OU_Collector_Agent_filter.JPG

The following screenshot shows a Group Filter which contains both security groups and OUs:

Tsvetan_FSSO_OU_Collector_Agent_filter_OU_grps.JPG


2. Configure Single Sign-On agent (SSO) on the FortiGate

Tsvetan_FSSO_OU_Config_FSSO.JPG 


3. Configure FortiGate groups and map AD security groups and OUs to them:

Tsvetan_FSSO_OU_Config_FGT_FSSO_auth_groups.JPG


4. Configure a firewall authentication policies to use the FortiGate groups

Tsvetan_FSSO_OU_Config_firewall_policy.JPG

5. Verification

5.1 Login to a test workstation
5.2 Verify that the FortiGate received the login event

# diag debug en
# diag debug auth fsso list

----FSSO logons----
IP: 192.168.1.205  User: USEROU01  Groups: OU=FSSO OU1,OU=FSSO USERS,DC=MYDOMAIN01,DC=LOCAL  Workstation: WINDOWS8-1.MYDOMAIN01.LOCAL
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----


5.3 Send traffic from test workstation:
#diag sys session filter list

session info: proto=6 proto_state=01 duration=12 expire=3590 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
user=USEROU01 state=may_dirty acct-ext
statistic(bytes/packets/allow_err): org=350/4/1 reply=614/3/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=172.17.97.254/192.168.1.205
hook=post dir=org act=snat 192.168.1.205:49231->65.52.233.45:80(172.17.97.181:49231)
hook=pre dir=reply act=dnat 65.52.233.45:80->172.17.97.181:49231(192.168.1.205:49231)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:15:5d:01:0c:19
misc=0 policy_id=6 auth_info=0 chk_client_info=0 vd=0
serial=00009811 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0


Alternative Approach to Group Filtering

Alternatively to step 1 , the group filter could be configured on the FortiGate and then pushed to the collector agent , using LDAP server.
Please note its not recommended to combine both methods. Only one filter method should be used per FortiGate.

1a. Configure an LDAP server

Tsvetan_FSSO_OU_Config_ldap.JPG

1b. Configure FSSO group filter under SSO agent configuration:

Tsvetan_FSSO_OU_Config_FSSO-LDAP.JPG



Contributors