FSSO settings shared to branch devices through security fabric or FMG?
I am deploying a Fortigate ADVPN/SDWAN solution where there is a central hub and about 20 remote Fortigates and a FMG.
First, I configured the DC HUB firewall as a standalone firewall because it was a migration from WatchGuard to Fortigate. On the HUB firewall, I did FSSO integration, imported the user groups and made the relevant policies. All good so far.
Then I imported the DC FGT in FMG which imported all device configuration from the FGT.
Then I added remote Fortigates and enabled ADVPN through FMG templates. Used the DC firewall policy package to make some user based policies on the remote Fortigates.
Now, I can see that the remote Fortigates also have the 'config user fsso' configuration automatically and it also shows the FSSO logons. On the FSSO agent, I have not added the remote Fortigates but still the FSSO logon show.
All Fortigates are also part of the security fabric where the DC HUB Fortigate is the root.
My question is how exactly are the remote Fortigates receiving the FSSO logon information ? Is the DC firewall forwarding the FSSO logons to remote Fortigates because they are part of the security fabric?
Also, did the FMG automatically push the 'config user fsso' configuration to all the remote Fortigates?
if I got it right then you imported DC FGT to FMG and then re-used FSSO config from that DC FGT and pushed it to remote FGTs via pushing that DC FGT's policy package to them.
As you refer to 'config user fsso' and not to fsso-polling, then I assume that you are using standalone Collector Agent (CA hereinafter) installed somewhere in DC infrastructure. Maybe directly on some DC, or on domain member server class PC.
And so, due to pushed 'config user fsso' from FMG into all FGTs, those all points to that standalone Collector Agent.
In GUI it would be external Fabric Connector.
But in CLI it's in standard/old 'config user fsso' location. Connectors are consolidated under Fabric section now and for some time, in older FortiOS it was in Users & Groups sort of section. Technically it has not much to do with Fabric, as FSSO configured this way act's independently on all individual FGT units. It means that every single FGT has it's own independent connection to CA. Should be seen in CA's GUI as connected there.
On FGT 'diag debug enable' + 'diag debug authd fsso server-status' should show you to which CA you are connected to.
hudzen-esx45 # Server Name Connection Status Version Address ----------- ----------------- ------- ------- C24-DC-ALFA connected FSSO 5.0.0308 10.109.19.88
In GUI it's
My lab setup is as simple as possible, but demonstrate all necessary. Related objects color-coded.
So Config: hudzen-esx45 # show user fsso config user fsso edit "C24-DC-ALFA" set server "10.109.19.88" set password megaSecret next end
And respective AD groups learned from Collector Agent (as there is no LDAP in above config).
hudzen-esx45 # show user adgrp config user adgrp edit "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG" set server-name "C24-DC-ALFA" next edit "CN=FSSO-G1,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG" set server-name "C24-DC-ALFA" next edit "CN=FSSO-G2-UNI,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG" set server-name "C24-DC-ALFA" next edit "CN=FSSO-G3-GLOB,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG" set server-name "C24-DC-ALFA" next end
And those could be used either directly in firewall policy or in older style (my preferred) through firewall type of user groups:
hudzen-esx45 # show user group FSSO-ALFA-DomainUsers config user group edit "FSSO-ALFA-DomainUsers" set group-type fsso-service set member "CN=DOMAIN USERS,CN=USERS,DC=ALFA,DC=XSILVER,DC=ORG" next end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.