Created on
‎04-28-2022
11:20 PM
Edited on
‎09-28-2023
12:52 AM
By
Anthony_E
Describes
This article describes configuration and verification steps to configure a secure connection between FortiGate and FSSO Collector Agent via SSL with Certificate Verification.
Scope
FortiGate v6.2 and above.
Solution
By default, communication between FortiGate and FSSO Collector Agent is not encrypted. Certificate verification and SSL connection can be configured to secure this traffic.
Configuration Steps for Collector Agent:
- Install FSSO Agent as per the document below:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent - Apply a certificate that will be used for this Collector Agent as per the screenshot below:
- If a certificate bundle is provided by the Certification Authority that signed it. The certificate and private key will need to be extracted as separate files to be uploaded to the FSSO Collector Agent.
Note:
There are several tools to perform the certificate and key extraction. An offline tool such as OpenSSL is recommended rather than exposing your certificate's private key to an online tool.
- A copy of the certificate and key files is loaded to 'C:\Program Files (x86)\Fortinet\FSAE'. Optionally, the certificate key file can be secured with different permissions, but should not be moved as it would affect the Collector Agent operation.
Configuration Steps for FortiGate:
- Import CA Certificate to FortiGate. This certificate is the one that issued the certificate applied to Collector Agent.
- This can be done from System/Certificates. Click on 'Create/Import' and choose the option 'CA Certificate'.
- Navigate to the CA Certificate file. This is not the same certificate file previously uploaded to the Collector Agent.
- The certificate can be renamed to have a more descriptive name. By default, it will be listed under the section 'Remote CA Certificate' as 'CA_Cert_X' ('X' being the next available number if there are other CA Certificates already installed).
To rename it, access FortiGate CLI and run the following commands (FSSO-CA is used as an example):
FGT1-A # config vpn certificate ca
rename CA_Cert_X to FSSO-CA
end
Note:
If the issuer is a well-known CA, its CA Certificate may be already trusted by FortiGate. If that is the case, an error will be shown as below, but no further action is needed.
The next step is to create a new one or modify an existing Fabric Connector. If there is already a connector created as per the document below, it can be modified as per steps from the next screenshot.
https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/460616/fortinet-single-sign-...
- The field 'Primary FSSO agent' and subsequent 'FSSO agent' fields, if more than one is used for redundancy, must contain the FQDN matching the Subject of the certificate applied to the Collector Agent.
- 'Trusted SSL certificate' must be the CA Certificate that issued the Collector Agent certificate.
After saving the change to enable 'Trusted SSL certificate' with Certificate CA, the listening port is automatically changed from 8000 to 8001 by default to match the default settings of Collector Agent.
Note:
In FortiOS 6.2, the default port configured for the FSSO connector is 8000, and it does not change automatically when the option 'Enable SSL/TLS connection' is set. This must be configured via CLI as per below:
config user fsso
edit '<DC1-FSSO-CA-SSL>'
set port 8001
set ssl enable
set ssl-trusted-cert 'FSSO-CA'
next
end
Verification of Configuration:
From FortiGate CLI with the following commands:
diagnose debug enable
show user fsso DC1-FSSO-CA-SSL
config user fsso
edit 'DC1-FSSO-CA-SSL'
set server 'fsso-dc1.colombas.lab'
set port 8001
set password ENC xxxxxxxxxxxxxx
set ssl enable
set ssl-trusted-cert 'FSSO-CA'
next
end
diagnose debug authd fsso server-status
Server Name Connection Status Version Address
---------- --------------- ------- -------
DC1-FSSO-CA-SSL connected FSSO 5.0.0304 fsso-dc1.colombas.lab
FGT1-A # diagnose debug authd fsso summary
FGT1-A # ----FSSO logons----
Total number of users logged on: 1
----end of FSSO logons----
FGT1-A # diagnose debug authd fsso list
----FSSO logons----
IP: 172.16.3.30 User: CARLOS Groups: CN=ESCALATIONS,CN=USERS,DC=COLOMBAS Workstation: WIN10-1
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
From FortiGate GUI:
Logs under 'Log & Report/Events/User Events'
From 'Firewall Users' Widget:
From Collector Agent Service Status:
From the Collector Agent login users list:
Related video: