Hi guys,
I am deploying a Fortigate ADVPN/SDWAN solution where there is a central hub and about 20 remote Fortigates and a FMG.
First, I configured the DC HUB firewall as a standalone firewall because it was a migration from WatchGuard to Fortigate. On the HUB firewall, I did FSSO integration, imported the user groups and made the relevant policies. All good so far.
Then I imported the DC FGT in FMG which imported all device configuration from the FGT.
Then I added remote Fortigates and enabled ADVPN through FMG templates. Used the DC firewall policy package to make some user based policies on the remote Fortigates.
Now, I can see that the remote Fortigates also have the 'config user fsso' configuration automatically and it also shows the FSSO logons. On the FSSO agent, I have not added the remote Fortigates but still the FSSO logon show.
All Fortigates are also part of the security fabric where the DC HUB Fortigate is the root.
My question is how exactly are the remote Fortigates receiving the FSSO logon information ? Is the DC firewall forwarding the FSSO logons to remote Fortigates because they are part of the security fabric?
Also, did the FMG automatically push the 'config user fsso' configuration to all the remote Fortigates?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you for updating your query.
Please check the below document I hope this helps you in your query and deployment
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution
Hi,
if I got it right then you imported DC FGT to FMG and then re-used FSSO config from that DC FGT and pushed it to remote FGTs via pushing that DC FGT's policy package to them.
As you refer to 'config user fsso' and not to fsso-polling, then I assume that you are using standalone Collector Agent (CA hereinafter) installed somewhere in DC infrastructure. Maybe directly on some DC, or on domain member server class PC.
And so, due to pushed 'config user fsso' from FMG into all FGTs, those all points to that standalone Collector Agent.
In GUI it would be external Fabric Connector.
But in CLI it's in standard/old 'config user fsso' location.
Connectors are consolidated under Fabric section now and for some time, in older FortiOS it was in Users & Groups sort of section.
Technically it has not much to do with Fabric, as FSSO configured this way act's independently on all individual FGT units. It means that every single FGT has it's own independent connection to CA. Should be seen in CA's GUI as connected there.
On FGT 'diag debug enable' + 'diag debug authd fsso server-status' should show you to which CA you are connected to.
Examples:
hudzen-esx45 # diagnose debug authd fsso server-status
hudzen-esx45 #
Server Name Connection Status Version Address
----------- ----------------- ------- -------
C24-DC-ALFA connected FSSO 5.0.0308 10.109.19.88
In GUI it's
My lab setup is as simple as possible, but demonstrate all necessary.
Related objects color-coded.
So Config:
hudzen-esx45 # show user fsso
config user fsso
edit "C24-DC-ALFA"
set server "10.109.19.88"
set password megaSecret
next
end
And respective AD groups learned from Collector Agent (as there is no LDAP in above config).
hudzen-esx45 # show user adgrp
config user adgrp
edit "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G1,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G2-UNI,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G3-GLOB,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
end
And those could be used either directly in firewall policy or in older style (my preferred) through firewall type of user groups:
hudzen-esx45 # show user group FSSO-ALFA-DomainUsers
config user group
edit "FSSO-ALFA-DomainUsers"
set group-type fsso-service
set member "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
next
end
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.