Hi, I just migrated from a cisco router to a Fortigate 40F. And since the migration I have had problems with Cisco ISE and MFA authentication.
The FGT40F Branch connects to a FGT1000F in HQ, via 2 site-to-site VPNs over the internet in a sdwan zone. Behind the 1000F is the AD server and Cisco ISE.
The authorization and authentication path goes through the 2 FGTs to the AD/DNS and ISE servers located in the HQ.
PC --- AP ---- FGT60F ------FGT1000F-----Core----AD/DNS/ISE
I have no communication problems with ping, traceroute, DNS. I have checked MTU on both FGTs and they have the same size. I also checked Security Profiles (IPS, DNS filtering, AV, DoS policy) At log level the only thing I can see are several events to DNS, AD, ISE destinations with action: Accept ip-conn.
Previously the traffic arrived directly to the CORE located in HQ, so it did not go through the FGTs.
Does anyone know what it could be?
Hi sirma504,
If the traffic is passing through the IPsec tunnel and if the traffic is orginating from your FortiGate40F going to 1000F, I suspect you need to specify the source IP on its configuration.
Let's say you have LDAP configured on your FortiGate.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-source-IP-address-for-FSSO-and-...
May refer to document below for additional guidance:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Self-originating-traffic-over-IPSec-VPN-Fo...
https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/848980/self-originating-traf...
Regards,
Denice
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.