Description
This article gives an example of configuring a local FSSO agent on the FortiGate and basic troubleshooting scenarios.
Solution
The FortiGate’s agent (inbuilt agent program) actively pools Windows security event log entries on Windows Domain Controller (DC) for user log in information.
The FSSO user groups can then be used in a firewall policy.
This method does not require any additional software components, and all the configuration can be done on the FortiGate.
To configure a local FSSO agent on the FortiGate.
1) Configure an LDAP server on the FortiGate.
2) Configure a local FSSO polling connector.
3) Add the FSSO groups to a policy.
Example.
To configure an LDAP server on the FortiGate.
1)Go to User & Device -> LDAP Servers.
2) Select 'Create New'.
3) Fill in the required information.
To configure a local FSSO polling connector.
1) Go to Security Fabric -> Fabric Connectors.
2) Select 'Create New'.
3) In the SSO/Identity section, select Poll Active Directory Server.
4) Fill in the required information.
1) Go to Security Fabric -> Fabric Connectors.
2) Select 'Create New'.
3) In the SSO/Identity section, select Poll Active Directory Server.
4) Fill in the required information.
FSSO groups can be used in a policy by either adding them to the policy directly, or by adding them to a local user group and then adding the group to a policy.
To add the FSSO groups directly to a firewall policy:
1) Go to Policy & Objects -> IPv4 Policy.
2) Select 'Create New'.
3) Select the Source field.
4) In the Select Entries pane, select the User tab.
5) Select the FSSO groups.
6) Configure the remaining settings as required.
7) Select 'OK'.
7) Select 'OK'.
To add the FSSO groups to a local user group, and then adding the local group to a policy:
1) Go to User & Authentication -> User Groups.
2) Select 'Create New'.
3) Give a name to the group, then select 'Type' - Fortinet Single Sign-On (FSSO).
4) In the section 'Members' specify the user group, selected AD External Connector (marked as 'Local FSSO Agent'), then select'OK'.
5) After creating a local FSSO user group, it will be possible to add them in Firewall Policy's Source Field. It should be listed in the section 'USER GROUP'.
Troubleshooting.
If an authenticated AD user cannot access the internet or pass the firewall policy, verify the local FSSO user list:
diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.100.188 User: test2 Groups: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM Workstation:
MemberOf: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
1) Check that the group in MemberOf is allowed by the policy.
- The FortiGate missed the log in event, which can happen if many users log in at the same time.
- The user's workstation is unable to connect to the DC, and is currently logged in with cached credentials, so there is no entry in the DC security event log.
3) If there are no users in the local FSSO user list.
- Ensure that the local FSSO agent is working correctly:
- The FortiGate missed the log in event, which can happen if many users log in at the same time.
- The user's workstation is unable to connect to the DC, and is currently logged in with cached credentials, so there is no entry in the DC security event log.
3) If there are no users in the local FSSO user list.
- Ensure that the local FSSO agent is working correctly:
diagnose debug enable
diagnose debug authd fsso server-status
Server Name Connection Status Version Address
Local FSSO Agent connected FSAE server 1.1 127.0.0.1
=======> The connection status must be connected.
- Verify the Active Directory connection status:
diagnose debug fsso-polling detail 1AD Server Status (connected):
ID=1, name(10.1.100.131),ip=10.1.100.131,source(security),users(0)
port=auto username=Administrator
read log eof=1, latest logon timestamp: Fri Jul 26 10:36:20 2019
polling frequency: every 10 second(s) success(274), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
LDAP status: connected
Group Filter: CN=group2,OU=Testing,DC=Fortinet-
FSSO,DC=com+CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM
If the polling frequency shows successes and failures, that indicates sporadic network problems or a very busy DC.
If it indicates no successes or failures, then incorrect credentials could be the issue.
If the LDAP status is connected, then the FortiGate can access the configured LDAP server.
If it indicates no successes or failures, then incorrect credentials could be the issue.
If the LDAP status is connected, then the FortiGate can access the configured LDAP server.
This is required for AD group membership lookup of authenticated users because the Windows security event log does not include group membership information.
The FortiGate sends an LDAP search for group membership of authenticated users to the configured LDAP server.
FortiGate adds authenticated users to the local FSSO user list only if the group membership is one of the groups in Group Filter.
4) If necessary, capture the output of the local FortiGate daemon that polls Windows Security Event logs:
The FortiGate sends an LDAP search for group membership of authenticated users to the configured LDAP server.
FortiGate adds authenticated users to the local FSSO user list only if the group membership is one of the groups in Group Filter.
4) If necessary, capture the output of the local FortiGate daemon that polls Windows Security Event logs:
diagnose debug console timestamp enable
diagnose debug application fssod -1
diagnose debug application fssod -1
diagnose debug application fsso_ldap -1
diagnose debug application authd -1
diagnose debug application authd -1
diagnose debug enable
