FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ebujedo
Staff
Staff
Description
This article gives an example of configuring a local FSSO agent on the FortiGate and basic troubleshooting scenarios.

Solution
The FortiGate’s agent (inbuilt agent program) actively pools Windows security event log entries on Windows Domain Controller (DC) for user log in information.
The FSSO user groups can then be used in a firewall policy.

This method does not require any additional software components, and all the configuration can be done on the FortiGate.

To configure a local FSSO agent on the FortiGate.

1) Configure an LDAP server on the FortiGate.
2) Configure a local FSSO polling connector.
3) Add the FSSO groups to a policy.

Example.

To configure an LDAP server on the FortiGate.

1)Go to User & Device -> LDAP Servers.
2) Select 'Create New'.
3) Fill in the required information.





To configure a local FSSO polling connector.

1) Go to Security Fabric -> Fabric Connectors.
2) Select 'Create New'.
3) In the SSO/Identity section, select Poll Active Directory Server.
4) Fill in the required information.





FSSO groups can be used in a policy by either adding them to the policy directly, or by adding them to a local user group and then adding the group to a policy.

To add the FSSO groups directly to a firewall policy.

1) Go to Policy & Objects -> IPv4 Policy.
2) Select 'Create New'.
3) Select the Source field.
4) In the Select Entries pane, select the User tab.
5) Select the FSSO groups.





6) Configure the remaining settings as required.
7) Select 'OK'.

Troubleshooting.

If an authenticated AD user cannot access the internet or pass the firewall policy, verify the local FSSO user list:
# diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.100.188 User: test2 Groups: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM Workstation:
MemberOf: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
1) Check that the group in MemberOf is allowed by the policy.
- The FortiGate missed the log in event, which can happen if many users log in at the same time.
- The user's workstation is unable to connect to the DC, and is currently logged in with cached credentials, so there is no entry in the DC security event log.
3) If there are no users in the local FSSO user list.

- Ensure that the local FSSO agent is working correctly:
# diagnose debug enable
# diagnose debug authd fsso server-status

Server Name               Connection Status              Version                    Address
Local FSSO Agent      connected                           FSAE server 1.1     127.0.0.1
=======> The connection status must be connected.
- Verify the Active Directory connection status:
# diagnose debug fsso-polling detail 1
AD Server Status (connected):
ID=1, name(10.1.100.131),ip=10.1.100.131,source(security),users(0)
port=auto username=Administrator
read log eof=1, latest logon timestamp: Fri Jul 26 10:36:20 2019
polling frequency: every 10 second(s) success(274), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
LDAP status: connected
Group Filter: CN=group2,OU=Testing,DC=Fortinet-
FSSO,DC=com+CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM
If the polling frequency shows successes and failures, that indicates sporadic network problems or a very busy DC.
If it indicates no successes or failures, then incorrect credentials could be the issue.
If the LDAP status is connected, then the FortiGate can access the configured LDAP server.

This is required for AD group membership lookup of authenticated users because the Windows security event log does not include group membership information.
The FortiGate sends an LDAP search for group membership of authenticated users to the configured LDAP server.
FortiGate adds authenticated users to the local FSSO user list only if the group membership is one of the groups in Group Filter.

4) If necessary, capture the output of the local FortiGate daemon that polls Windows Security Event logs:
# diagnose debug application fssod -1
# diagnose debug application fsso_ldap
# diagnose debug application authd -1

Contributors