FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Article Id 220649
Description

 

This article describes configuration steps to leverage SAML authentication for forward firewall policies.
The configuration example provided encompasses G-Suite SAML application configuration with multiple groups.

Scope

 

FortiGate 7.0+ and Google Cloud Platform as SAML IdP.

 

Solution

 

SAML authentication is immensely deployed in FortiGate's SSL VPN and Administration.
Starting with FortiOS 7.0, it is possible to authenticate users for forward traffic in firewall policies and proxy traffic in explicit and transparent proxy features.

 

This document will focus on outbound firewall policies with Google Cloud Platform (GCP) as SAML IdP. Additionally, multiple-group scenario will be described to allow for more granular control for UTM Security Profiles applied to users based on their group membership.


Example Environment:


Clients: 172.16.3.30 and 172.16.3.31
FortiGate LAN Interface IP: 172.16.3.15
User lombini@colombas.me is member of GCP group STAFF
User student@colombas.me is member of GCP group STUDENT
SAML SP: FortiGate
SAML IdP: Google Cloud Platform


Configuration Steps for Google Suite SAML Application.

Note.

This configuration assumes users and groups are already created in GCP. Some steps are performed concurrently on the FortiGate.

 

  1. Add a custom SAML app and define a name. Optionally add a description:

CarlosColombini_0-1660284200513.png

 

  1. Note the IdP entity ID and Single Sign-On URLs, and download the IdP certificate.

     

    CarlosColombini_1-1660284534169.png

     

     

  2. Add SP entity ID and Single Sign-On URLs.

     

    CarlosColombini_2-1660284981591.png

     

    ACS URL will contain the IP Address and port of the FortiGate Captive portal.

    By default, the captive portal IP address will be the FortiGate Interface IP to which users send web requests to.

    Additionally, the default Captive portal for HTTPS connection is 1003.

    config system global
        set auth-https-port 1003
    end

     

  3. Configure SAML user and group Attributes.

     

    CarlosColombini_3-1660285537918.png

     

    Note.

    It is now possible to send group membership directly from GCP rather than using other attributes, such as 'Department' or 'Cost Center'.

  4. It should look like the screenshot below. Make sure 'User access' is enabled.

     

    CarlosColombini_4-1660285800876.png

     

     

Configuration steps in FortiGate.

 

  1. Import the IdP certificate as downloaded in the previous step 2. Import it under the 'Remote Certificate' option.

Note.

This certificate is per GCP tenant, which means it may already have been uploaded if SAML GCP is configured for another feature, such as SSL VPN or Proxy Policies.

If that is the case, an error message will be presented as per below.

 

CarlosColombini_0-1660286156344.png

 

Note.

The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N). 

Optionally, rename the certificate in the CLI to give it a more recognizable name:


config vpn certificate remote
    rename REMOTE_Cert_3 to GoogleSAML
end

 

  1. Create a new Single Sign-On server matching the IdP settings configured previously in GCP.

     

    CarlosColombini_1-1660286517774.png

     

    Note.

    Starting with FortiOS 7.0.2 it is possible to create a SAML server from GUI; however, the SP URLs will populate automatically and will need to be modified after saving it.

    Optionally, the new Single Sign-On server can be created from CLI as per below:

     

    config user saml

        edit "google-outbound-policy"

            set cert "Fortinet_Factory"

            set entity-id "https://172.16.3.15:1003/saml/metadata"

            set single-sign-on-url "https://172.16.3.15:1003/saml/login"

            set single-logout-url "https://172.16.3.15:1003/saml/logout"

            set idp-entity-id "https://accounts.google.com/o/saml2?idpid=C02216ujl"

            set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=C02216ujl"

            set idp-single-logout-url "https://accounts.google.com/logout"

            set idp-cert "GoogleSAML"

            set user-name "username"

            set group-name "group"

            set digest-method sha1

        next

    end

     

    Note.

    As with any other command to be pasted in FortiGate CLI that contains a question mark '?', there is the need to press 'CTRL + V' right before pasting the special character '?'.

    This will not work from the CLI java console and will need terminal software such as Putty with SSH or the Console connection.

     

     

  2. Create user groups to assign to different firewall policies:

     

    CarlosColombini_0-1660287063576.png


    From CLI:

     

    config user group

        edit "Staff"

            set member "google-outbound-policy"

                config match

                    edit 1

                        set server-name "google-outbound-policy"

                        set group-name "STAFF"

                    next

                end

        next

    end

     

    config user group

        edit "Student"

            set member "google-outbound-policy"

                config match

                    edit 1

                        set server-name "google-outbound-policy"

                        set group-name "STUDENT"

                    next

                end

        next

    end

     

     

  3. Create outbound firewall policies with UTM profile and other settings as desired:

     

    CarlosColombini_1-1660287251854.png

     

    config firewall policy

        edit 40

            set name "Staff-Internet"

            set uuid 2aa5f31e-8131-51ec-a460-093b51af60ae

            set srcintf "port6"

            set dstintf "virtual-wan-link"

            set action accept

            set srcaddr "LAN3"

            set dstaddr "all"

            set schedule "always"

            set service "ALL"

            set utm-status enable

            set inspection-mode proxy

            set ssl-ssh-profile "certificate-inspection"

            set av-profile "Staff"

            set webfilter-profile "Staff-WF"

            set logtraffic all

            set nat enable

            set groups "Staff"

        next

    end

     

    config firewall policy

        edit 85

            set name "Student-Internet"

            set uuid 0e292b3e-19c5-51ed-a93c-9ad37fc5e627

            set srcintf "port6"

            set dstintf "virtual-wan-link"

            set action accept

            set srcaddr "LAN3"

            set dstaddr "all"

            set schedule "always"

            set service "ALL"

            set utm-status enable

            set inspection-mode proxy

            set ssl-ssh-profile "certificate-inspection"

            set av-profile "Student"

            set webfilter-profile "Student-WF"

            set logtraffic all

            set nat enable

            set groups "Student"

        next

    end

     

     

  4. To allow traffic to the IdP URL, place a firewall policy above the firewall policies configured with a group in the source.

     

An ISDB object 'Google-Web' can be used because a wildcard FQDN object to 'accounts.google.com' is not sufficient.

CarlosColombini_2-1660287510701.png

 

config firewall policy

    edit 32

        set name "SAML-GCP-Authentication"

        set uuid 6dcf3d4a-74a6-51ec-dfa3-1f25d4696d06

        set srcintf "port6" "port7"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr "LAN3"

        set internet-service enable

        set internet-service-name "Google-Web"

        set schedule "always"

        set profile-protocol-options "custom-default"

        set ssl-ssh-profile "certificate-inspection"

        set logtraffic all

        set auto-asic-offload disable

        set nat enable

    next

end

 

Configuring the user authentication setting.

When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal.
After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal.
If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning.
Use a custom certificate that the user trusts to avoid the certificate warning.


To configure a custom certificate:

 

  1. Go to User & Authentication -> Authentication Settings.
  2. For the Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.

Note.

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page.

This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:

config user setting

    set auth-ca-cert "Fortinet_CA_SSL"

    set auth-secure-http enable

    set auth-timeout 2

    set auth-ssl-min-proto-version TLSv1-2

end


Go to System -> Certificates and download the certificate.
Install the certificate into the user’s certificate store.


Note.

If the Captive portal is already being used for other features, redirection can be enabled per firewall policy by setting 'auth-redirect-addr" as per the KB article below:

Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication...


User Authentication Timeout settings.

SAML authenticated users have the same timeout settings applied as other methods, explained in the KB Article below:

Technical Tip: Explanation of auth-timeout types for Firewall authentication users

 

However, the browser may cache the cookie and the user may not be prompted again for credentials.
If it is desired to be prompted, authentication alive can be leveraged, so when the user selects the 'Logout' button, it should remove the browser cookie:

Technical Tip: Authentication keepalive page


If the keep live browser tab is closed, then the timeout will become a hard timeout type:

Technical Tip: How to calculate 'Authentication Refresh' count-down number of FortiGate's' 'Authenti...

 

Verification of Configuration and authentication Workflow.

  1. The user initiates web traffic to the Internet.
  2. The FortiGate redirects to the local captive portal port (default is 1003), and then redirects the user to the SAML IdP.
  3. The user connects to the Google Account login page for the SAML authentication request.
  4. The SAML IdP sends the SAML assertion containing the user and group.
  5. The browser forwards the SAML assertion to the SAML SP.
  6. If the user and group are allowed by the FortiGate, the user is allowed to access the internet.

On the user, open a browser and go to a Website. The user is redirected to the Google Account login page. 

 

Enter the user credentials.

 

CarlosColombini_0-1660288589380.png

 

If the login attempt is successful, the user is allowed to access the internet according to group membership and firewall policies defined.

 

To verify user login logs, go to Dashboard -> Users & Devices and select the Firewall Users widget.

 

CarlosColombini_1-1660289087907.png


Alternatively, list users from CLI as per the commands below:


FGT1-A # diagnose firewall auth filter method fw

 

FGT1-A # diagnose firewall auth list

 

172.16.3.30, student@colombas.me

        type: fw, id: 0, duration: 80, idled: 7

        expire: 113, allow-idle: 120

        server: google-outbound-policy

        packets: in 4394 out 4024, bytes: in 3877855 out 1346112

        group_id: 42

        group_name: Student

 

172.16.3.31, lombini@colombas.me

        type: fw, id: 0, duration: 700, idled: 0

        expire: 120, allow-idle: 120

        server: google-outbound-policy

        packets: in 10937 out 10349, bytes: in 9378349 out 1774042

        group_id: 41

        group_name: Staff

 

To verify user login logs, go to Log & Report -> System Events and select the User Events card.

 

CarlosColombini_2-1660289285811.png

 

Alternatively, list from CLI commands below:

 

execute log filter category event

FGT1-A # execute log filter field subtype user

FGT1-A # execute log display


date=2022-08-12 time=00:23:35 eventtime=1660289015633370297 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=172.16.3.30 dstip=172.16.3.15 policyid=85 interface="port6" user="student@colombas.me" group="Student" authproto="HTTPS(172.16.3.30)" action="authentication" status="success" reason="N/A" msg="User student@colombas.me succeeded in authentication"

date=2022-08-12 time=00:15:55 eventtime=1660288555337117215 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=172.16.3.30 dstip=172.16.3.15 policyid=40 interface="port6" user="lombini@colombas.me" group="Staff" authproto="HTTPS(172.16.3.30)" action="authentication" status="success" reason="N/A" msg="User lombini@colombas.me succeeded in authentication"

 


Related document:

To configure the Outbound firewall authentication with Azure AD as a SAML IdP, visit the below link:
Outbound firewall authentication with Microsoft Entra ID as a SAML IdP