Created on 10-28-2022 03:33 AM Edited on 08-13-2024 05:44 AM By Stephen_G
This article describes the setup of FortiGate, using one of the FSSO Agent working modes - Collector Agent polling logon sessions from Domain Controller, Windows server 2019.
FortiGate, FSSO Collector Agent.
Fortinet Single Sign-On allows the user to log in once and access services without re-entering log-on credentials. FSSO Collector Agent can work in DC Agent mode or Polling mode. In polling mode, the CA polls port 445 of each DC for user log-on information every few seconds and forwards it to the FortiGate unit.
On FortiGate, in example v7.2.2, configure it through GUI, FSSO Agent on Windows AD.
Navigate to Security Fabric -> External Connectors -> Create New -> FSSO Agent on Windows AD.
Configure the IP address of the server where FSSO Agent is installed, password and group source. It is possible to have a maximum of 5 FSSO Agents created under the same entry. FSSO redundancy works on the active-passive principle: the FortiGate will latch on to the first FSSO CA in the list if it replies. Once the first one becomes unresponsive, it will fall back to the secondary one and stay on it, until the secondary becomes unresponsive. Afterward, it would try to check for the first one if it is available.
Regarding the group source, there will be two types as seen in the screenshot:
Collector Agent: User groups will be pushed to FortiGate from the Collector Agent.
Local: The user group will be specified in this FortiGate's config, pushed TO Collector Agent.
In this case, use Collector Agent group source, which means that FSSO Agent will push all User Groups that we specified there.
Also, FSSO Agent then must operate in Standard Mode. If group source 'Local' is selected, then FSSO Agent must operate in Advanced Mode.
FSSO Agent -> Set Directory Access Information.
Standard mode: In this mode, the FSSO Agent receives group information in the format of domain\user.
Advanced mode: The FSSO Agent receives user group information in the format of an LDAP Distinguished name (DN), for example, CN=Users,DC=forti,DC=lab. The benefit of this method is that the Collector Agent will be able to parse nested groups.
Using the user group source 'Collector Agent' on FortiGate, set the group filter on FSSO Agent.
FSSO Agent -> Set Group Filters -> Add -> Default filter/FortiGate SN -> Advanced -> Mark the groups need to be monitored -> Add.
From the list we have marked groups that need to be monitored.
Going back to FortiGate, this is how FSSO Agent config looks under the CLI.
Now, trigger the Windows logon event with the domain user that is a member of the user groups specified in Group Filters on the FSSO Agent.
Navigate to FSSO Agent -> Logon user list, to verify user event log.
Now on FortiGate, check FSSO user database if FSSO Agent sent to FortiGate properly logon user event that contains IP address, workstation name, username, user groups.
On FortiGate GUI -> Dashboard -> User & Devices -> Firewall Users.
Or in CLI with diag firewall auth list:
Now, add FSSO user groups in to IPv4 firewall policy and restrict or allow users access.
If the user logon event is not seen in the 'Logon user list' on FSSO Agent, first check 'Event Viewer -> Windows logs' on the domain controller. Narrow down logs using the 'Find' Action and search for the username. In this example, the username is 'north'.
There were cases where logon user event did not present in FSSO Agent -> Logon user list, because logon user event was not triggered or cached because of Windows GPO and FSSO Agent did not have what to poll.
For testing purposes, it is possible to change the account used for Fortinet Single Sign on with a domain admin account.
If the logged in user shows in the Collector agent, it indicates that the account permissions for that user need to be checked on the AD side in order to read event logs.
Further verification can be done on the Firewall or Server side by running a packet capture in port 8000.
To summarize how FortiGate learns of username/groups:
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.