Description

This article explains FSSO, in particular DC Agent mode, in an easily understood manner.

Scope

FSSO, FortiGate.

Solution

Fortinet Single-Sign-On (FSSO) is a proprietary Fortinet solution that allows Active Directory user logins to be shared with FortiGate and utilized for granular policy matching. The user is not required to authenticate explicitly to FortiGate, and the firewall ideally already knows of the user login, IP, and groups before any user traffic even passes through it.

FSSO consists of multiple components that handle login detection and maintenance, as well as a FortiGate (or FortiProxy) device, which receives the login information for further use. There are two main login detection methods, DC Agent Mode and Polling.

This article focuses on DC Agent mode. It touches on the following components:

DC: Domain controller, the central server in a domain environment. It usually serves multiple purposes. For FSSO, the following roles are relevant:

DNS Server.	LDAP Server.	LSASS.exe.
Resolves hostnames to IPs (and vice-versa, usually).	Validates user credentials and provides group membership information.	An authentication service that runs on domain controllers and handles the authentication requests from users' workstations.

The Fortinet components relevant to FSSO are:

DC Agent.	Collector Agent (or FortiAuthenticator).	FortiGate (or FortiProxy).
An FSSO Agent that reads activity in lsass.exe and shares logins with the Collector Agent.	An FSSO Agent that receives logins from the DC Agent and processes them further.	Receives the processed and filtered logins from the Collector Agent.

A more detailed and technical explanation of FSSO may be found here: Technical Tip: Explaining FSSO - a primer.

1. DC Agent picks up login activity in lsass.exe.
                                                               
   
   Note: DC Agent reads logins from lsass.exe, not from Windows Security Event logs as Polling Mode does.
   
   
2. DC Agent reports logins to Collector Agent.
                                                                                                
   
3. The Collector Agent filters logins and performs DNS lookup as necessary.
                                                                     
   
   Note: Collector Agent may discard logins if the user or IP is in an ignore list, or if the workstation cannot be resolved to an IP.
   Adding users to an ignore list is outlined here: Technical Tip: How and why to use the 'Ignore User List' option in FSSO Collector Agent. 
   Adding IPs to an ignore list is outlined here: Technical Tip: Excluding IP addresses from FSSO logon events.
   
   
4. The Collector Agent queries LDAP for group membership.
                                                                                                       
   
5. LDAP returns group membership, and login is added to the logged-on user list.
                                                                                                               
   
   Note: Collector Agent may cache group lookup results for a period to avoid querying LDAP every time the user generates login activity.
   
   
6. The Collector Agent provides (filtered) logins to FortiGate.
                                                                                         
   
   Note: Collector Agent only sends logins to a connected FortiGate that matches the group filter for that FortiGate. The group filter may be set on FortiGate or Collector Agent directly, and the Collector Agent may track more overall logged-in users than are shared with any specific FortiGate.
   
   
7. The Collector Agent periodically performs checks to keep track of logins up to date.
                                                                                          
   
   Note: Collector Agent updates any connected FortiGate if a change in IP or user is detected. It checks for possible IP changes via DNS and uses WMI queries against users' workstations to verify if the original user is still logged in.