Hi ,
I would like to know how I can configure TACACS+ setting for managed FortiGate Firewalls from FortiManager.
Right now I've tried to enabled TACACS+ config directly from FortiGate Firewalls but after one or two days , the TACACS+ config disappear automatically. Look like FortiManager override the settings when we applied the policy to FortiGate Firewalls.
Please suggest any possible solution on this?
FortiManager version7.2.3
FortiGate version 7.2.4
Thank you so much
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That's probably because you haven't used the TACACS server in a group and then use the group in admin config or policies yet. Or have you?
We use RADIUS for all our customer's FGTs that are on FMG but we never configured it from FMG.
<edit>Or you might need to retrieve the entire config once you configured tacacs at the FGT, so that the device DB has the tacacs config next time it pushes the config. You might need to re-sync others like policy package, etc. after retrieving it though.</edit>
If I were to configure TACACS from FMG, I would configure in a CLI template and put it in a CLI template group with other CLI templates you might need (in the future), then assign it to the device. Then you can install it as a part of device config.
Toshi
Our RAIUS config situation probably wouldn't apply to your case. Because we preconfigure almost all of them including RADIUS at the FGT before shipping to the customer location. Then only after the installation is done with cutomer's internet circuits we put it on our FMG to sync with the common policy package etc. At that time, the FMG automatically retrieves the entire config from the FGT including the RADIUS config.
Toshi
Hi@EvanRaci ,
In some cases you should be able to Retrieve and Import from FGT but this has many options to go wrong also, so depends how is all setup.
In other case just setup a CLI script as Toshi suggest.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-using-TACACS-authentication-with-ad...
Best,
By the way, the scrips on FMG @vraev is talking about is always CLI, while there are different types of templates exist including CLI template.
The difference is script is just a scrip you can run against either 1) directly the remote device, 2) device DB in FMG, or 3) policy package or ADOM DB. Once you run it, there isn't any trace other than log. So you have to know/remember which devices you applied if you have multiple devices.
On the other hand, CLI templates/template group need to be "assigned" to one or multiple devices before you can "push" the config by "installing" the device config. Then the FMG shows which devices have it applied and in sync in the device table view. So you can be clear which devices have the config all the time.
For this reason, we use CLI templates through all our devices in all ADOMs instead of scripts unless a quick and temporary change is needed.
Toshi
Hi all,
Today I tested in my lab and observe the same issue , I've created tacacs+ user then added into User Group , retrieved from FortiManager . After that I applied policy from FortiManager and all the TACACS+ related config disappeared .
To fix this I need to create one Administrator account with type "Match all users in remote-server group". Only then the config become persistent.
Thank you
As I said originally if the user group including the tacacs server(s) is not used by either admin user or policies, the FMG might remove unused tacacs config when you push device config or policy package.
You have to use it first.
Toshi
Thank you very much Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.