Description
This article describes the setup of FortiGate, using one of the FSSO Agent working modes - Collector Agent polling logon sessions from Domain Controller, Windows server 2019.
Scope
FortiGate, FSSO Collector Agent.
Solution
Fortinet Single Sign-On allows the user to log in once and access services without re-entering log-on credentials. FSSO Collector Agent can work in DC Agent mode or Polling mode. In polling mode, the CA polls port 445 of each DC for user log-on information every few seconds and forwards it to the FortiGate unit.
On FortiGate, in example v7.2.2, configure it through GUI, FSSO Agent on Windows AD.
Navigate to Security Fabric -> External Connectors -> Create New -> FSSO Agent on Windows AD.
Configure the IP address of the server where FSSO Agent is installed, password and group source. It is possible to have a maximum of 5 FSSO Agents created under the same entry. FSSO redundancy works on the active-passive principle: the FortiGate will latch on to the first FSSO CA in the list if it replies. Once the first one becomes unresponsive, it will fall back to the secondary one and stay on it, until the secondary becomes unresponsive. Afterward, it would try to check for the first one if it is available.
Regarding the group source, there will be two types as seen in the screenshot:
Collector Agent: User groups will be pushed to FortiGate from the Collector Agent.
Local: The user group will be specified in this FortiGate's config, pushed TO Collector Agent.
In this case, use Collector Agent group source, which means that FSSO Agent will push all User Groups that we specified there.
Also, FSSO Agent then must operate in Standard Mode. If group source 'Local' is selected, then FSSO Agent must operate in Advanced Mode.
FSSO Agent -> Set Directory Access Information.
Standard mode: In this mode, the FSSO Agent receives group information in the format of domain\user.
Advanced mode: The FSSO Agent receives user group information in the format of an LDAP Distinguished name (DN), for example, CN=Users,DC=forti,DC=lab. The benefit of this method is that the Collector Agent will be able to parse nested groups.
Using the user group source 'Collector Agent' on FortiGate, set the group filter on FSSO Agent.
FSSO Agent -> Set Group Filters -> Add -> Default filter/FortiGate SN -> Advanced -> Mark the groups need to be monitored -> Add.
From the list we have marked groups that need to be monitored.
Going back to FortiGate, this is how FSSO Agent config looks under the CLI.
Now, trigger the Windows logon event with the domain user that is a member of the user groups specified in Group Filters on the FSSO Agent.
Navigate to FSSO Agent -> Logon user list, to verify user event log.
Now on FortiGate, check FSSO user database if FSSO Agent sent to FortiGate properly logon user event that contains IP address, workstation name, username, user groups.
On FortiGate GUI -> Dashboard -> User & Devices -> Firewall Users.
Output from FortiGate CLI commands:
diag debug authd fsso list | grep X.X.X.X -B1 -A6 <- While this is the IP of the affected user.
diag firewall auth list | grep x.x.x.x -B1 -A 6 <- While this is the IP of the affected user.
The first command in FortiGate shows the pulled logon info from the FSSO Collector Agent, while the second command shows actually authenticated user groups on FortiGate.
Now, add FSSO user groups in to IPv4 firewall policy and restrict or allow users access.
If the user logon event is not seen in the 'Logon user list' on FSSO Agent, first check 'Event Viewer -> Windows logs' on the domain controller. Narrow down logs using the 'Find' Action and search for the username. In this example, the username is 'north'.
There were cases where logon user event did not present in FSSO Agent -> Logon user list, because logon user event was not triggered or cached because of Windows GPO and FSSO Agent did not have what to poll.
For testing purposes, it is possible to change the account used for Fortinet Single Sign on with a domain admin account.
If the logged in user shows in the Collector agent, it indicates that the account permissions for that user need to be checked on the AD side in order to read event logs.
Further verification can be done on the Firewall or Server side by running a packet capture in port 8000.
To summarize how FortiGate learns of username/groups:
- Users log into Windows machine and Domain controller authenticate them.
- Domain controller records logon event log (e.g., EventID: 4624).
- FSSO Agent/Collector Agent frequently pools event log on DC.
- Collector Agent performs DNS lookup against system DNS of machine name to resolve IP address.
- Collector Agent performs group lookup against LDAP server.
- Collector Agent sends username, workstation name, IP address and user group to FortiGate.
- FortiGate firewall stores logons information in user database.
- Login is sent, and the user is authenticated.
Related articles:
- Agent-based FSSO - FortiGate cookbook
- Technical Tip: Checking Collector Agent service account privilege for Windows Security Event Logs po...
- Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
- Technical Tip: Comparison between DC-Agent mode and polling mode
- Technical Tip: FSSO choose between DC Agent mode or Polling mode
- Technical Tip: Downloading FSSO agent software
- Technical Tip: How to install FSSO Collector Agent
- Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode
- Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
