Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
austinmas1987
New Contributor

FSSO settings shared to branch devices through security fabric or FMG?

Hi guys,

I am deploying a Fortigate ADVPN/SDWAN solution where there is a central hub and about 20 remote Fortigates and a FMG.

First, I configured the DC HUB firewall as a standalone firewall because it was a migration from WatchGuard to Fortigate. On the HUB firewall, I did FSSO integration, imported the user groups and made the relevant policies. All good so far.

Then I imported the DC FGT in FMG which imported all device configuration from the FGT.

 

Then I added remote Fortigates and enabled ADVPN through FMG templates. Used the DC firewall policy package to make some user based policies on the remote Fortigates.

 

Now, I can see that the remote Fortigates also have the 'config user fsso' configuration automatically and it also shows the FSSO logons. On the FSSO agent, I have not added the remote Fortigates but still the FSSO logon show.

 

All Fortigates are also part of the security fabric where the DC HUB Fortigate is the root.

 

My question is how exactly are the remote Fortigates receiving the FSSO logon information ? Is the DC firewall forwarding the FSSO logons to remote Fortigates because they are part of the security fabric?

 

Also, did the FMG automatically push the 'config user fsso' configuration to all the remote Fortigates?

Thanks.

2 REPLIES 2
pgautam
Staff
Staff

Hi @austinmas1987 

 

Thank you for updating your query.

 

Please check the below document I hope this helps you in your query and deployment

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/ecb26153-031d-11e9-b86b-005056...

 

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution

 

xsilver_FTNT
Staff
Staff

Hi,

if I got it right then you imported DC FGT to FMG and then re-used FSSO config from that DC FGT and pushed it to remote FGTs via pushing that DC FGT's policy package to them.

 

As you refer to 'config user fsso' and not to fsso-polling, then I assume that you are using standalone Collector Agent (CA hereinafter) installed somewhere in DC infrastructure. Maybe directly on some DC, or on domain member server class PC.

And so, due to pushed 'config user fsso' from FMG into all FGTs, those all points to that standalone Collector Agent.

In GUI it would be external Fabric Connector.

But in CLI it's in standard/old 'config user fsso' location.
Connectors are consolidated under Fabric section now and for some time, in older FortiOS it was in Users & Groups sort of section.
Technically it has not much to do with Fabric, as FSSO configured this way act's independently on all individual FGT units. It means that every single FGT has it's own independent connection to CA. Should be seen in CA's GUI as connected there.

On FGT 'diag debug enable' + 'diag debug authd fsso server-status' should show you to which CA you are connected to.

Examples:

hudzen-esx45 # diagnose debug authd fsso server-status

hudzen-esx45 #
Server Name Connection Status Version Address
----------- ----------------- ------- -------
C24-DC-ALFA connected FSSO 5.0.0308 10.109.19.88

 

In GUI it's 

 
 

FGT-CA-Fabric-Connector-status.jpg

My lab setup is as simple as possible, but demonstrate all necessary.
Related objects color-coded.

 

So Config:
hudzen-esx45 # show user fsso
config user fsso
edit "C24-DC-ALFA"
set server "10.109.19.88"
set password megaSecret
next
end

And respective AD groups learned from Collector Agent (as there is no LDAP in above config).

hudzen-esx45 # show user adgrp
config user adgrp
edit "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G1,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G2-UNI,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
edit "CN=FSSO-G3-GLOB,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
set server-name "C24-DC-ALFA"
next
end

 

And those could be used either directly in firewall policy or in older style (my preferred) through firewall type of user groups:

hudzen-esx45 # show user group FSSO-ALFA-DomainUsers
config user group
edit "FSSO-ALFA-DomainUsers"
set group-type fsso-service
set member "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG"
next
end

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors