Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stressballsteve
New Contributor

FSSO and transparent web filtering

Hi, I' m new to the forums and also new to the Fortigate products, so please be gentle ...I have inherited a half configured Fortigate 80C running 4.0 MR3 Patch 6 and I' ve managed to configure it so that I can use domain accounts for SSL VPN authentication, but I can' t for the life of me figure out how to get FSSO working for web browsing . It' s a simple setup with the Fortigate plugged into the LAN and into the Internet facing routing. Web browsing works with no issues and when setting web filters, sites are blocked so everything appears to be working on that front. The issue is that I cannot get FSSO to work for web browsing. When I enable it, users cannot browse the web and I get " AD group user failed in authentication" in the event log. I have also tried to just use " Resolve User Names Using FSSO Agent" within the policy and this also fails, users can browse, but in the logs it shows user as N/A... Can anyone help a desparate man? I' m pulling my hair out over this one (and I don' t have a lot left). Thanks in advance, Steve
16 REPLIES 16
rwpatterson
Valued Contributor III

Welcome to the forums. Stressball... Nice name In the FGT GUI look under ' User, Monitor, firewall' and see if any clients are logged in by name. If you see theme there as ' guest' , we have a problem, Houston. That' s where I would start. Give a peek, and then write back. We' ll go on from there.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
stressballsteve
New Contributor

Hi Bob, Thanks for the response...I' ve checked the monitor and there are no authenticated users listed and access to the internet stops as soon as I enable the policy requiring authentication... Thanks, Steve
rwpatterson

Well if no users are in the list, then no users are ' allowed' to get to the internet... Works as designed. We need to get the authentication piece functioning.
  • From the Domain Controller, did you install the FSSO software?
  • From the FSSO software, can you see any logins being generated?
  • If the logins are being generated, check to see if any FGTs are connected.
  • If no logins are being generated, you have a configuration issue with the FSSO piece
  • From the FGT, do you see any AD groups under ' User > Remote' ? Check those out and post back
  • Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    stressballsteve
    New Contributor

    I' ve installed the collection agent and the DC agent on both DC' s. 1 DC is currently connected to the fortigate and there are users showing as logged on/authenticated within the agent. The status is " OK" rather than " not verified" . On the FGT, I can browse and select users or groups from under Users/SSO/SSO Agent. LDAP tests correctly as does browsing using the icon...and I can use LDAP authentication to log on to the firewall for administrative purposes and also for VPN' s...I' m confused Thanks again for the help
    rwpatterson

    Check out this for an LDAP setup. This is good for users coming inward (SSL VPN and firewall authentication). May offer a hint. Now, for general Internet browsing using FSSO, LDAP isn' t a part, unless you checked it off in the setup. It used directory services directly. That being said, did your FSSO software see the FGTs as being connected?

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    stressballsteve
    New Contributor

    Only one of the collector agents see the FGT connected at anyone time, but yes, it' s showing as connected. I can also see the users and groups beneath the User/Single Sign-On/FSSO Agent...its just not working when it comes to authenticating. It is definitely hitting the correct rule on the firewall...thanks for your continued help, Steve
    rwpatterson

    Show me (from a CLI cut/paste) one of your FSSO policies. You can obfuscate common names and address entities for security purposes. Below is a policy for the I/S department at one of my locations:
    config firewall policy
         edit 1031
             set srcintf " port1" 
             set dstintf " port2" 
                 set srcaddr " Group.IS"              
                 set dstaddr " all"              
             set action accept
             set fsae enable
             set comments " Allow I/S to the Internet" 
             set identity-based enable
             set nat enable
             set ippool enable
                 set poolname " IPpool.Internet"              
                 config identity-based-policy
                     edit 4
                         set schedule " always" 
                         set logtraffic enable
                         set utm-status enable
                             set groups " Medium level Internet"  (Not so privileged users)
                             set service " Allow.Default"                          
                         set av-profile " scan.all-extended-quarantine" 
                         set webfilter-profile " least restrictive" 
                         set application-list " General_Policy" 
                         set profile-protocol-options " enhanced" 
                     next
                     edit 1
                         set schedule " always" 
                         set logtraffic enable
                         set utm-status enable
                             set groups " High level Internet"  (High privilege users)
                             set service " Allow.Super.User.IS"                          
                         set av-profile " scan.http.no.ftp-quarantine" 
                         set webfilter-profile " least restrictive" 
                         set application-list " General_Policy" 
                         set profile-protocol-options " enhanced" 
                     next
                     edit 3
                         set schedule " always" 
                         set logtraffic enable
                         set utm-status enable
                             set groups " Domain Users"  (Everyone else that' s authenticated)
                             set service " Allow.Default"                          
                         set av-profile " scan.all-extended-quarantine" 
                         set webfilter-profile " default" 
                         set application-list " General_Policy" 
                         set profile-protocol-options " enhanced" 
                     next
                     edit 2
                         set schedule " always" 
                         set logtraffic enable
                         set utm-status enable
                             set groups " FSAE_Guest_Users"  (Unauthenticated users)
                             set service " Allow.Default"                          
                         set webfilter-profile " least restrictive" 
                         set application-list " General_Policy" 
                         set profile-protocol-options " enhanced" 
                     next
                 end
         next
     end
     

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    stressballsteve
    New Contributor

    Here' s the output from my 1 and only FSSO policy... config firewall policy edit 16 set srcintf " internal" set dstintf " wan1" set srcaddr " all" set dstaddr " all" set action accept set utm-status enable set fsso enable set identity-based enable set nat enable config identity-based-policy edit 1 set schedule " always" set logtraffic enable set utm-status enable set groups " groupname" set service " ANY" set av-profile " default" set webfilter-profile " default" set profile-protocol-options " default" next end next
    rwpatterson

    Wow, I need caffeine... What is the configuration of the firewall user group? From the CLI again, please. Below, my sample:
     config user group
         edit " FSAE_Guest_Users" 
             set group-type directory-service
         next
         edit " Domain Users" 
             set group-type directory-service
                 set member " DOMAIN/DOMAIN USERS"              
         next
         edit " High level Internet" 
             set group-type directory-service
                 set member " DOMAIN/FW_LEVELHIGH"              
         next
         edit " Medium level Internet" 
             set group-type directory-service
                 set member " DOMAIN/FW_LEVELMEDIUM"              
         next
         edit " Low level Internet" 
             set group-type directory-service
                 set member " DOMAIN/FW_LEVELLOW"              
         next
     end
     

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors