| Description | This article describes how to use FortiGate syslogs as an authentication source in the FSSO collector agent. An example of SSL VPN integration with Fortinet Single Sign On will be presented, but this method can be used for IPsec dial-up VPN. |
| Scope | FortiGate. |
| Solution |
Topology view:
First, FortiGate needs to send syslogs to the FSSO Collector Agent. Syslog settings can only be configured in the command line.
config log syslogd setting set status enable end
It is a good idea to have a filter, as FortiGate will otherwise flood the FSSO Collector Agent with unnecessary logs.
config log syslogd filter set forward-traffic disable config free-style edit 1 set category event next end end
Next, the syslog feature must be enabled on the FSSO Collector Agent.
Note: Make sure that the Windows firewall is not blocking incoming traffic to port 514 UDP. Create a new Syslog Rule under 'Manage Rule'.
Note: In 'client IPv4 Field', after tunnelip={{:client_ip}}, make sure there is a space. Otherwise, it will be unable to parse the IP address. The exact field values can be used for any SSL VPN integration with Fortinet Single Sign-On.
Lastly, a new syslog source needs to be added:
In this scenario, SSL VPN uses RADIUS to authenticate, but any other authentication method (local users LDAP etc) will also work.
The FSSO Collector Agent Logon User List with the syslog-authenticated user:
External settings on source Syslog will not forward the user group to the FortiGate because it is not part of the domain.
With this setting when a user Syslog arrives at the FSSO collector agent, a connection to the managed LDAP server will be done using the configured credentials. Then a search request for the user filtered based on User Object Class and Username Attribute will be performed.
Finally, if the user is found in the search-request it will be added with its corresponding groups to the logon user list.
Related articles: FSSO using syslog as a source - FortiGate administration guide |
