Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎04-28-2022 11:20 PM Edited on ‎09-28-2023 12:52 AM By Community Manager

Article Id 210850

Technical Tip: Fortinet Single Sign On (FSSO) Agent SSL connection to FortiGate

Describes

 

This article describes configuration and verification steps to configure a secure connection between FortiGate and FSSO Collector Agent via SSL with Certificate Verification.

 

Scope

 

FortiGate v6.2 and above.

 

Solution

 

By default, communication between FortiGate and FSSO Collector Agent is not encrypted. Certificate verification and SSL connection can be configured to secure this traffic.

Configuration Steps for Collector Agent:

 

  1. Install FSSO Agent as per the document below:
    https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
  2. Apply a certificate that will be used for this Collector Agent as per the screenshot below:

CarlosColombini_0-1651189949580.png

 

  1.  If a certificate bundle is provided by the Certification Authority that signed it. The certificate and private key will need to be extracted as separate files to be uploaded to the FSSO Collector Agent.

 

Note:

There are several tools to perform the certificate and key extraction. An offline tool such as OpenSSL is recommended rather than exposing your certificate's private key to an online tool.

 

  1. A copy of the certificate and key files is loaded to 'C:\Program Files (x86)\Fortinet\FSAE'. Optionally, the certificate key file can be secured with different permissions, but should not be moved as it would affect the Collector Agent operation.

 

Configuration Steps for FortiGate:

  1. Import CA Certificate to FortiGate. This certificate is the one that issued the certificate applied to Collector Agent.
  2. This can be done from System/Certificates. Click on 'Create/Import' and choose the option 'CA Certificate'.
  3. Navigate to the CA Certificate file. This is not the same certificate file previously uploaded to the Collector Agent.
  4. The certificate can be renamed to have a more descriptive name. By default, it will be listed under the section 'Remote CA Certificate' as 'CA_Cert_X' ('X' being the next available number if there are other CA Certificates already installed).
    To rename it, access FortiGate CLI and run the following commands (FSSO-CA is used as an example):

 

FGT1-A # config vpn certificate ca
             rename CA_Cert_X to FSSO-CA
         end

 

Note:

If the issuer is a well-known CA, its CA Certificate may be already trusted by FortiGate. If that is the case, an error will be shown as below, but no further action is needed.


CarlosColombini_1-1651190009641.png

 

The next step is to create a new one or modify an existing Fabric Connector. If there is already a connector created as per the document below, it can be modified as per steps from the next screenshot.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/460616/fortinet-single-sign-...

 

  1. The field 'Primary FSSO agent' and subsequent 'FSSO agent' fields, if more than one is used for redundancy, must contain the FQDN matching the Subject of the certificate applied to the Collector Agent.
  2. 'Trusted SSL certificate' must be the CA Certificate that issued the Collector Agent certificate.

 

After saving the change to enable 'Trusted SSL certificate' with Certificate CA, the listening port is automatically changed from 8000 to 8001 by default to match the default settings of Collector Agent.

CarlosColombini_2-1651190076747.png

 

Note:

In FortiOS 6.2, the default port configured for the FSSO connector is 8000, and it does not change automatically when the option 'Enable SSL/TLS connection' is set. This must be configured via CLI as per below:

 

config user fsso
    edit '<DC1-FSSO-CA-SSL>'
        set port 8001
        set ssl enable
        set ssl-trusted-cert 'FSSO-CA'
    next
end


Verification of Configuration:

From FortiGate CLI with the following commands:

 

diagnose debug enable
show user fsso DC1-FSSO-CA-SSL

config user fsso

edit 'DC1-FSSO-CA-SSL'

        set server 'fsso-dc1.colombas.lab'

        set port 8001

        set password ENC xxxxxxxxxxxxxx

        set ssl enable

        set ssl-trusted-cert 'FSSO-CA'

         next

      end

 diagnose debug authd fsso server-status

 

Server Name          Connection Status     Version               Address

----------           ---------------       -------              -------

DC1-FSSO-CA-SSL     connected          FSSO 5.0.0304    fsso-dc1.colombas.lab

 

FGT1-A # diagnose debug authd fsso summary

 

FGT1-A # ----FSSO logons----

Total number of users logged on: 1

----end of FSSO logons----

 

FGT1-A # diagnose debug authd fsso list


----FSSO logons----

IP: 172.16.3.30  User: CARLOS  Groups: CN=ESCALATIONS,CN=USERS,DC=COLOMBAS  Workstation: WIN10-1


Total number of logons listed: 1, filtered: 0

----end of FSSO logons----

 

From FortiGate GUI:


Logs under 'Log & Report/Events/User Events'

 

CarlosColombini_3-1651190178808.png

 

From 'Firewall Users' Widget:

 

CarlosColombini_4-1651190209656.png

 

From Collector Agent Service Status:

 

CarlosColombini_5-1651190228786.png

 

From the Collector Agent login users list:

 

CarlosColombini_6-1651190246359.png

 

Related video:


13626
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.