- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO and WebFiltering
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO and WebFiltering
Hello,
We are trying to configure FSSO and Web Filtering but without much success.
The topology of the network is as follows:
a. LAN > ISA > FortiGate (Transparent) > WAN
b. All users on LAN are routed from the ISA server. ISA server is also the 2nd Domain Controller.
c. Primary Domain Controller has the FSSO Collector and Agent.
d. We have published the 389 port from DC1 to ISA(DC2) so that FortiGate can use the FSSO.
e. We have setup and imported the required Groups on FortiGate (FSSO) and if we execute the following command on CLI we get the required results:
CLI > diagnose debug enable
CLI > diagnose debug authd fsso server-status
Server Name Connection Status Version
----------- ----------------- -------
FSSO DC connected FSSO 4.3.0151
f. If we issue the diagnose debug authd fsso list we get the list of users authenticated (more than 100 entries) e.g.
IP: 192.168.1.135 User: xxx
IP: 192.168.1.138 User: xxx
………….
g. Under the Policy we have setup the authentication with a web profile to block or monitor user activities.
h. However on the logs we see only 3-4 users from the domain and all the rest are shown as “Guestâ€. These are allowed since we also include the FSSO Guest groups.
i. Problem is that 100+ users go out as Guests, although they are part of the groups from the domain and have authenticated.
Please advise how we can also identify all users and configure the require web filtering policy. At the moment although the web filter profile is applied, the reports created with the Guest accounts do not provide any insight.
It seems that FortiGate does not recognize most users from the Domain, the connection between the FSSO Collector and Fortigate works.
Do we need to forward any other port besides 389 on the ISA? FortiGate is placed transparently in front of the ISA server and before the WAN. The Collector Agent seems to work, but for some reason, FortiGate sees 100+ users as Guests, and only 3-4 as actual users.
WAN Modem IP: xxx.xxx.xxx.xxx
FortiGate IP: xxx.xxx.xxx.x
ISA NIC1 IP: xxx.xxx.xxx.x
ISA NIC2 IP: 192.168.1.2
DC1 IP: 192.168.1.1
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It appears that Collector Agent might be configured in Standard Mode (Set Directory Access in GUI)
..while groups are configured in Advanced mode...
Collector agent AD Access mode - Standard versus Advanced
The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to username information.
Standard mode uses regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.
If there is no special requirement to use LDAP— best practices suggest you set up FSSO in Standard mode. This mode is easier to set up, and is usually easier to maintain and troubleshoot.
Standard and advanced modes have the same level of functionality with the following exceptions:
1. Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiGate unit. Fortinet strongly encourages users to create filters from CA.
2. Advanced mode supports nested or inherited groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.
If this is your case, proceed with the changes, the run in CLI: diag debug authd fsso refresh-groups
livo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If you have setup and imported the required groups on the Fortigate, then it would seem your basic Collector Agent setup is good.
Some things you could have a look at, and/or try, is :
- check on the Collector Agent Gui if the 2 check-boxes at the top are checked, ie Monitoring user logon events, and Support NTLM authentication.
- Are the browsers used by the 3-4 users seen from the domain configured differently form others, mostly in Tools>Internet options>Advanced>Security : Use Windows integrated authentication ?
I must say we still are not exactly sure how our setup works, but it does, with User authentication policies, User groups and Webfilter Profiles, etc.
We have a collector Agent monitoring say 20 DCs with DCAgents, but we are at the point where we are not sure what does what exactly, FSSO, NTLM, etc.
And I don' t want to get into the détails of that at the moment, let' s just say on our production Fortigate users show as NTLM authenticated, Under User & Device>Monitor, while on the Test Fortigate they show as FSSO .
Production FSSO Collector Agent uses DC Agents, and Test FSSO collector Agent uses Polling.
Anyway, I hope any of this helps in some way :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bonjour,
je suis entraine de configurer l'integration webfilter sur fsso.
mais je suis un bloquer.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- WEB Filtering and FSSO 105 Views
- Installing FSSO Agent on AD server 148 Views
- How to setup agentless polling on... 155 Views
- Poll AD Server 215 Views
- FSSO logon mimatch 118 Views
Labels
-
FortiGate
7,215 -
FortiClient
1,423 -
5.2
801 -
5.4
639 -
FortiManager
623 -
FortiAnalyzer
463 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiSandbox
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1084 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.