FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff
Article Id 228136
Description

 

This article describes the setup of FortiGate, using one of the FSSO Agent working modes - Collector Agent polling logon sessions from Domain Controller, Windows server 2019.

 

matanaskovic_0-1666944041846.png

 

Scope

 

FortiGate, FSSO Collector Agent.

 

Solution

 

Fortinet Single Sign-On allows the user to log in once and access services without re-entering log-on credentials. FSSO Collector Agent can work in DC Agent mode or Polling mode. In polling mode, the CA polls port 445 of each DC for user log-on information every few seconds and forwards it to the FortiGate unit.

 

On FortiGate, in example v7.2.2, configure it through GUI, FSSO Agent on Windows AD.

 

Navigate to Security Fabric -> External Connectors -> Create New -> FSSO Agent on Windows AD.

 

matanaskovic_5-1671111412546.png

 

Configure the IP address of the server where FSSO Agent is installed, password and group source. It is possible to have a maximum of 5 FSSO Agents created under the same entry. FSSO redundancy works on the active-passive principle: the FortiGate will latch on to the first FSSO CA in the list if it replies. Once the first one becomes unresponsive, it will fall back to the secondary one and stay on it, until the secondary becomes unresponsive. Afterward, it would try to check for the first one if it is available.

 

Regarding the group source, there will be two types as seen in the screenshot:

 

Collector Agent: User groups will be pushed to FortiGate from the Collector Agent.

Local: The user group will be specified in this FortiGate's config, pushed TO Collector Agent.

 

In this case, use Collector Agent group source, which means that FSSO Agent will push all User Groups that we specified there.

 

Also, FSSO Agent then must operate in Standard Mode. If group source 'Local' is selected, then FSSO Agent must operate in Advanced Mode. 


FSSO Agent -> Set Directory Access Information.

 

matanaskovic_4-1671110371894.png

 

Standard mode: In this mode, the FSSO Agent receives group information in the format of domain\user.

 

Advanced mode: The FSSO Agent receives user group information in the format of an LDAP Distinguished name (DN), for example, CN=Users,DC=forti,DC=lab. The benefit of this method is that the Collector Agent will be able to parse nested groups.

 

Using the user group source 'Collector Agent' on FortiGate, set the group filter on FSSO Agent.

 

FSSO Agent -> Set Group Filters -> Add -> Default filter/FortiGate SN -> Advanced -> Mark the groups need to be monitored -> Add.

 

matanaskovic_6-1671111536053.png

 

matanaskovic_0-1671109576527.png

 

matanaskovic_2-1671109824584.png

 

From the list we have marked groups that need to be monitored.

 

matanaskovic_3-1671109972360.png

 

Going back to FortiGate, this is how FSSO Agent config looks under the CLI.

 

matanaskovic_8-1671111701120.png

 

Now, trigger the Windows logon event with the domain user that is a member of the user groups specified in Group Filters on the FSSO Agent.

 

matanaskovic_2-1666945299954.png

 

Navigate to FSSO Agent -> Logon user list, to verify user event log.

 

matanaskovic_11-1671112245970.png

 

Now on FortiGate, check FSSO user database if FSSO Agent sent to FortiGate properly logon user event that contains IP address, workstation name, username, user groups.

 

On FortiGate GUI -> Dashboard -> User & Devices -> Firewall Users.

 

matanaskovic_12-1671113091473.png

 

Or in CLI with diag firewall auth list:

 

matanaskovic_14-1671113166346.png

 

Now, add FSSO user groups in to IPv4 firewall policy and restrict or allow users access.

 

If the user logon event is not seen in the 'Logon user list' on FSSO Agent, first check 'Event Viewer -> Windows logs' on the domain controller. Narrow down logs using the 'Find' Action and search for the username. In this example, the username is 'north'.

 

matanaskovic_4-1666946741275.png

 

There were cases where logon user event did not present in FSSO Agent -> Logon user list, because logon user event was not triggered or cached because of Windows GPO and FSSO Agent did not have what to poll.

 

For testing purposes, it is possible to change the account used for Fortinet Single Sign on with a domain admin account.

If the logged in user shows in the Collector agent, it indicates that the account permissions for that user need to be checked on the AD side in order to read event logs.

Further verification can be done on the Firewall or Server side by running a packet capture in port 8000.

 

To summarize how FortiGate learns of username/groups:

 

  • Users log into Windows machine and Domain controller authenticate them.
  • Domain controller records logon event log (e.g., EventID: 4624).
  • FSSO Agent/Collector Agent frequently pools event log on DC.
  • Collector Agent performs DNS lookup against system DNS of machine name to resolve IP address.
  • Collector Agent performs group lookup against LDAP server.
  • Collector Agent sends username, workstation name, IP address and user group to FortiGate.
  • FortiGate firewall stores logons information in user database.
  • Login is sent, and the user is authenticated.

 

Related articles: