Hello.
We got setup with FortiGate HA cluster, FortiAuthenticator, FortiEMS and FortiClients (5.6.6) on endpoints.
We are implementing FSSO Mobility agent via FortiClient to authenticate users.
The problem is with endpoints where users are using virtual network interfaces (Docker, HyperV, VMware) on their Windows 10 PC.
For example one endpoint have both HyperV and Docker virtual interfaces. At that point FortiAuthenticator can see this users FSSO session sent from FortiClient Mobility Agent with 4 IP addresses (all are virtual ethernet interfaces IPs) but can't see built-in LAN Ethernet adapter's or WiFi adapter's IP.
I'm wondering is it FortiClient sending only four addresses to FortiAuthenticator?
We are not having many users (60-70 FSSO sessions), but I've never saw any user having more then 4 IP addresses.
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
FSSO can handle just up-to 4 addresses per same workstation name. Those can come from client like SSOMA, or DNS A records. I would try to convince SSOMA to send just IPs/NICs I'm interested in.
Or I'd set IP filtering rules on FAC to discard IP ranges used on virtual NICs of clients and their VMWare workstations or other virtualization platforms.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,
Thanks for the answer.
I'm looking into ip filtering on Authenticator and as I correctly understand the mechanics is that FortiAuthenticator receives all the IPs that FortiClient is sending and I can't really filter it. IP filtering works in another direction - from Authenticator to FortiGate, it means it will send only those sessions that I'm including in the IP filtering.
But issues is that Authenticator is receiving 4 wrong IPs from FortiClient directly.
Is there any way to filter IP addresses that are received on Authenticator from FortiClient?
As You mentioned: "I would try to convince SSOMA to send just IPs/NICs I'm interested in."
How is it possible to do on from SSOMA perspective? I can't find that possibility in endpoint profile configuration on FortiEMS.
Thanks.
Ok I found out that Global Pre-filter on Authenticator in "Fortigate Filtering" section will filter IP ACL I've configured.
But this didn't solve the problem, because endpoint is sending 4 IPs that are not in allowed IP ACL so the FSSO session is not being registered.
I need some how to force FortiClient SSOMA to send only the IP addresses that I expect to see on Authenticator.
Any suggestions?
same here, lot of Dev Clients with Docker and/or VM Workstation. Ended up with disabling this interfaces, no other solution found 'till now, bad enought.
________________________________________________________
--- NSE 4 ---
________________________________________________________
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.