Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

Transition from Connector-based FSSO to Fabric-based SSO with FortiNAC and FortiGate

Hello Fortinet Community,

 

I've been reading https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Configure-FortiNAC-Tags-with-FortiOS-7-2-4-... on configuring FSSO tags with FortiOS 7.2.4 and https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Connector-based-FSSO-vs-Fabric-Based-with...

on Connector-based FSSO vs Fabric-based SSO.

Is it correct to understand that Connector-based FSSO will be deprecated soon, possibly even removed from CLI configurations? Should we be configuring Fabric-based SSO for new deployments instead?

 

With FortiGate and FortiNAC using a persistent agent setup, how can we propagate AD User/Group information to FortiGate without Connector-based FSSO? Currently, with Fabric-based SSO I only receive Dynamic-FortiNAC Tag.

 

Looking forward to your insights!

Thank you!

 

2 Solutions
ebilcari
Staff
Staff

Yes, the classic FSSO is marked as deprecated by FGT as shown here and also is not actively supported by FNAC. It will not be removed soon (as I know), so as long as it works it can be still kept in production.

The FNAC tag dynamic address is the recommended way for new configurations. The concept and the results are pretty much the same. It offers better integration since FNAC is now joined in the Security fabric.

You will still be able to send tags and also LDAP groups as tags, entries will be automatically created in FGT and filled with IPs:

tags.png

FNAC config:

model config.PNG

 

Same tag, will list all the interested IP and can be applied in a firewall policy:

fw policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

ebilcari

Yes correct, the tags will be auto created in FGT only after the first host/IP hits a NAP. This is by design, the first step is to achieve visibility and after verifying that the information is correct to proceed enforcing the firewall policies. Currently there is no way to push all the available tags/groups at once in FGT.
If you want to have them predefined, you can try to manually create them in FGT, the format is <FNAC serial>_<Group name>.

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
ebilcari
Staff
Staff

Yes, the classic FSSO is marked as deprecated by FGT as shown here and also is not actively supported by FNAC. It will not be removed soon (as I know), so as long as it works it can be still kept in production.

The FNAC tag dynamic address is the recommended way for new configurations. The concept and the results are pretty much the same. It offers better integration since FNAC is now joined in the Security fabric.

You will still be able to send tags and also LDAP groups as tags, entries will be automatically created in FGT and filled with IPs:

tags.png

FNAC config:

model config.PNG

 

Same tag, will list all the interested IP and can be applied in a firewall policy:

fw policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
tagayev
New Contributor II

Thank you @ebilcari  for your detailed response. I have verified the functionality, and it works as described. However, I noticed that tags need to be pushed by "Network Access" or another event, and only tags related to that event appear in FortiGate Addresses. With FSSO, all AD groups appear in FortiGate Users as soon as FSSO is enabled.

Is there a method to push all AD group-related tags to the Security Fabric without waiting for an event? It is inconvenient to trigger an event to push tags to FortiGate and then start writing policies based on those tags. 

I also noticed that "Domain Users" group is not synchronized nether via FSSO nor with TAGs

 

Thanks again for your assistance!

ebilcari

Yes correct, the tags will be auto created in FGT only after the first host/IP hits a NAP. This is by design, the first step is to achieve visibility and after verifying that the information is correct to proceed enforcing the firewall policies. Currently there is no way to push all the available tags/groups at once in FGT.
If you want to have them predefined, you can try to manually create them in FGT, the format is <FNAC serial>_<Group name>.

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
tagayev
New Contributor II


@ebilcari wrote:

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).


Your idea is perfect. Checked it recently and it works.

Thank you very much for the help!

ebilcari

Thank you for your feedback, glad to be of help.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors