Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rcpdkc
Contributor II

Fortigate User Information

With which product can I send the information of the user logged in Windows to Fortigate in the easiest way? My goal is to see which ip address belongs to which user in the logs.

9 REPLIES 9
ozkanaltas
Valued Contributor III

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
rcpdkc

I use FSSO, is there an alternative software similar to NAC?

ozkanaltas
Valued Contributor III

Hello @rcpdkc ,

 

You can use FortiNAC or FortiAuthenticator but at the end of the day, all products transmit this information to FortiGate via FSSO. Only the way they collect user information is different.

 

For example, while nac creates user information from authenticated users on the devices it manages, FortiAuthenticator collects user information via FortiClient or RSSO.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
rcpdkc
Contributor II

I noticed that Fortinac doesn't pass user information to the firewall. I can't see the user in the firewall logs even though fortinac is there. why could this be ?

 

@ozkanaltas @ebilcari @AEK 

ozkanaltas
Valued Contributor III

Hello @rcpdkc ,

 

Did you integrate FortiNAC and FortiGate for FSSO information? 

 

You can review this document on how you can integrate FortiNAC and FortiGate for FSSO. This document has good and detailed information. 

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/1c2d2ab0-223d-11ed-9eba-fa163e...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
rcpdkc

On the Fortinac side, I add the device from the service connector menu, but it does not fall into the fortigate fabric connector menu.

ozkanaltas
Valued Contributor III

Hello @rcpdkc ,

 

when I reviewed the FortiGate documents I saw two information about that.

The First one, if your FortiNac license was created before 2020 you can't do that integration.

 

https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/264311

 

The second one, the document says this feature is deprecated and replaced with a tag feature. Probably, the tag feature would not give username information to FortiGate.

 

https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/582240/fortinac-tag-dynamic-...

 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
rcpdkc

then I won't get user information with fortinac. I will continue with fsso.

AEK
SuperUser
SuperUser

As per my knowledge you can do it with either FSSO, FortiClient (with EMS) or FortiNAC (with PA).

If I remember well, I did it on FNAC and FCT EMS with tags, that sends user group info to FGT and you can use them in firewall policies. I didn't double check but I think I'm not wrong.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors