FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff
Article Id 191577

Description


This article describes the configuration of FSSO collector agent redundancy with multiple (two in this example) LDAP Windows AD and two Fortinet DC Agents.
 
The FortiGate will connect to the available FSSO Agent to retrieved Logon list and validate authenticated users.


Both Windows AD are configured to authenticate users logon (Multiple domain controllers).

 

FSSO Collector Agent and DC Agent are installed on each Windows AD server.

Scope

 

FSSO, FortiGate.


Solution

 

Configuration

FSSO Collector Agents listen on TCP port 8000 and UDP 8002, ensuring that Windows Firewall is not blocking these ports.
 
  • FortiGate communicates to FSSO CA via TCP port 8000.
  • DC Agent communicates to FSSO CA via UDP port 8002.
  • DC Agent with SSL enabled communicate to FSSO CA via TCP port 8003.

In this example:
 
  • 1st Windows AD IP=10.10.10.1
  • 2nd Windows AD IP=10.10.10.2

Install the latest FSSO Collector Agent software and DC Agent on both Windows ADs, and follow these four steps:

  1. FSSO Collector Agent software installation.

Select Next and Install. This will then launch the 'DC Agent Install Wizard'.

frottier_FD39911_tn_FD39911-1.jpg
 
frottier_FD39911_tn_FD39911-3.jpg
 
  1. DC Agent software installation software.

Accept default values, select Next, then select the Domain to monitor and any Users that are not to be monitored, then leave the default as DC Agent Working Mode, and select Finish.

frottier_FD39911_tn_FD39911-4.jpg

  1. DC Agent Configuration Utility software installation.

Select Next, then list both IPs where the two Collector Agent are installed.

frottier_FD39911_tn_FD39911-5.jpg

Select Next, Install and Finish.

Both DC Agents are now configured to send logon events to both Collector Agents. This can be checked with the DC Agent Configuration Utility GUI.

frottier_FD39911_tn_FD39911-7.jpg

It can also be checked by looking at the following registry key:

frottier_FD39911_tn_FD39911-8.jpg

Diagram:

FortiGate <---> FSSO CA <---> DC Agents <---> WINDOWS AD
 
  1. For certain IP addresses to be excluded from polling or DCAgent (no effect for TSAgent), use the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
 
(Only IP addresses can be added to this list. Adding IP ranges/subnets is not yet supported.)
 
Value name: 'dc_agent_ignore_ip_list'.
Value data: semicolon-separated list of IPs to ignore by the Collector Agent.
 
 
In this example of 'dc_agent_ignore_ip_list', the logon events reported to the DCs 10.10.10.1 and 10.10.10.2 will be ignored.
 
 
 
Verification of Configuration and troubleshooting

The FortiGate is configured with a list of available FSSO CAs as shown below.
 
npaiva_0-1659099431528.png
 
 
config user fsso
    edit "DC-1"
        set server "10.10.10.1"
        set password ENC ***
        set server2 "10.10.10.2"
        set password2 ENC ***
    next
end
 
The FortiGate is configured with a list of LDAP Servers as shown below.
 
config user ldap
    edit "WindowsAD-1"
        set server "10.10.10.1"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
    edit "WindowsAD-2"
        set server "10.10.10.2"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
end
 
The FortiGate will connect to the first available FSSO CA to retrieve Logon events.
 
If this FSSO CA fails, it will connect to the next available in the list, and so on.
 
There is no primary-backup mechanism in FortiGate-FSSO CA relationship.
 
Other FSSO collector agents are used as fail-over in case if the first configured is not available.
 
In the FSSO Collector Agent 'Show Service Status' the FortiGate serial number and IP Address are visible.
 
In the FSSO Collector Agent 'Show Monitor DC' are showing both DC Agent IPs with the last KEEPALIVE packets received from DCs.
 
 
Debugging can be turned on: log level set to debugging, log file size to 100MB (max 1024MB).
Logs are stored in the program directory.

Useful commands to troubleshoot on FortiGate:

List FSSO logon user on the FortiGate.
 
diag debug authd fsso list
 
List authenticated users on the FortiGate.
 
diag firewall auth list
 
List connected FSSO CA.
 
diag debug reset
diag debug enable
diag debug authd fsso server-status
 
Debugging authentication process*.
 
diag debug reset
diag debug console timestamp enable
diag debug application authd -1
diag debug application fnbamd -1
diag debug enable
 
Stop debugging output.
 
diag debug reset
diag debug disable
 
By default, debugging is enabled for 30 minutes.
 

Related article:

Technical Tip: Excluding IP addresses from FSSO logon events