Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎12-25-2022 10:52 AM Edited on ‎03-02-2023 07:04 AM By Moderator

Article Id 240813

Technical Tip: How to use NTLM as fallback for FSSO authentication

Description

This article describes how to use NTLM authentication when FSSO fails.

 

When authenticated, the FSSO user entry is generally removed from the authenticated user database on FortiGate and the FSSO user traffic is blocked until the FSSO user is authenticated by FortiGate again.

In these scenarios, it is possible to use NTLM authentication to authenticate the user as a fallback mechanism.
Scope FortiGate.
Solution

Configure the LDAP server on FortiGate:

 

FGT # show user ldap
config user ldap
    edit "ldap"
        set server "10.108.4.69"
        set cnid "sAMAccountName"
        set dn "dc=fortiservice,dc=com"
        set type regular
        set username "fortiservice\\Administrator"
        set password ENC MTAwNFB24plfAhOk06HKv9RimIGsz/QcM+OMxhrj5qpFbMvo9ZI4dUHdHahFzwxle24/X/xI3TqujTC5KR3xgan9LOWxYqHBiXsHjFDToxVWjfIaH+yetxQIWzLqr34AdoQlxXvX0bi9ZoYUq7lqRR/s+xviPB8oHEnTzNIcxBvCrLt09r6j+Tu3CCdollcEmiu3Cg==
    next
end


Configure FSSO on FortiGate, enable the LDAP and select the user/user group from the LDAP server:

 

FGT # show user fsso
config user fsso
edit "fsso-agent"
set server "10.108.4.69"
set password ENC 9AEEFXRj+Q3tu7kAUf79WkNrQ2dOpP8eafxjQ9/bgXz5KGremP663RC122moXHfyy/SwM8gF0InI81D3v/tCdoU9Q==
set ldap-server "ldap"
next
end


FGT # show user adgrp
config user adgrp
    edit "CN=sarah sarahh,DC=fortiservice,DC=com"
        set server-name "fsso-agent"
    next
        edit "CN=fsso.group,DC=fortiservice,DC=com"
            set server-name "fsso-agent"
        next
    end

 

Note:

The user 'sarah' and group 'fsso.group' have been created from the enabled LDAP server.

 

Create an FSSO group on FortiGate:

 

FGT # show user group FSSO-users
config user group
    edit "FSSO-users"
        set group-type fsso-service
        set member "CN=sarah sarahh,DC=fortiservice,DC=com"
    next
end

 

Configure the firewall policy for the FSSO user group on FortiGate, then enable NTLM in the CLI:

 

# config firewall policy
    edit 1
        set name "INTERNET"
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "block-shopping-domains"
        set ntlm enable <-----
        set groups "FSSO-users"
    next
end

 

Note:

A webfilter profile has been enabled to block shopping domains (=Category 'Shopping').

 

Result:

The user 'sarah' has been authenticated as an FSSO user (type: fsso):

 

FGT # diag firewall auth list

10.108.3.113, SARAH <-----
type: fsso, id: 0, duration: 1, idled: 0 <-----
server: fsso-agent
packets: in 9 out 12, bytes: in 921 out 1272
group_id: 3 33554433 33554434
group_name: FSSO-users CN=sarah sarahh,DC=fortiservice,DC=com CN=fsso.group,DC=fortiservice,DC=com

----- 1 listed, 0 filtered ------


Note that the ikea.com domain was blocked as a shopping domain for FSSO user 'sarah':

 

date=2022-12-24 time=22:34:57 eventtime=1671917697855568512 tz="+0100" logid="0316013056" type="utm" subtype="webfilter"
eventtype="ftgd_blk" level="warning" vd="root" policyid=1 sessionid=31295 user="SARAH" <<<-----
group="FSSO-users" authserver="fsso-agent" srcip=10.108.3.113
srcport=49993 srcintf="internal1" srcintfrole="undefined" dstip=104.64.162.124 dstport=443
dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="www.ikea.com" <-----
profile="block-shopping-domains" action="blocked" reqtype="direct" url="https://www.ikea.com/"
sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=42 catdesc="Shopping" <-----


If the FSSO user entry 'sarah' gets removed from the authenticated user list on FortiGate, the traffic for this  user/IP will be blocked:

 

FGT # diag firewall auth list

----- 0 listed, 0 filtered ------


Note:

Since NTLM is enabled on the firewall policy through CLI, an authentication page appears on the browser when the user attempts to browse the website

 

If the user enters user credentials, the user will be authenticated via NTLM (type: ntlm) and will be able to browse the website.

 

FGT # diag firewall auth list

10.108.3.113, SARAH
src_mac: 00:6c:69:73:23:01
type: ntlm, id: 0, duration: 7, idled: 4 <-----
expire: 296, allow-idle: 300
packets: in 34 out 33, bytes: in 16081 out 3790
group_id: 3
group_name: FSSO-users <-----

----- 1 listed, 0 filtered ------

 

The ikea.com is still blocked:

 

date=2022-12-24 time=22:56:08 eventtime=1671918968824170405 tz="+0100" logid="0316013056" type="utm" subtype="webfilter"
eventtype="ftgd_blk" level="warning" vd="root" policyid=1 sessionid=45229 user="SARAH" group="FSSO-users" srcip=10.108.3.113
srcport=50209 srcintf="internal1" srcintfrole="undefined" dstip=104.64.162.124 dstport=443 dstintf="wan1" dstintfrole="wan"
proto=6 service="HTTPS" hostname="www.ikea.com" profile="block-shopping-domains" action="blocked" reqtype="direct" url="https://www.ikea.com/"
sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=42 catdesc="Shopping"
6072
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.