Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tagayev
New Contributor II

Created on ‎07-29-2024 05:51 AM

Transition from Connector-based FSSO to Fabric-based SSO with FortiNAC and FortiGate

Hello Fortinet Community,

 

I've been reading https://community.fortinet.com/t5/FortiNAC/Technical-Tip-Configure-FortiNAC-Tags-with-FortiOS-7-2-4-... on configuring FSSO tags with FortiOS 7.2.4 and https://community.fortinet.com/t5/FortiNAC-F/Technical-Tip-Connector-based-FSSO-vs-Fabric-Based-with...

on Connector-based FSSO vs Fabric-based SSO.

Is it correct to understand that Connector-based FSSO will be deprecated soon, possibly even removed from CLI configurations? Should we be configuring Fabric-based SSO for new deployments instead?

 

With FortiGate and FortiNAC using a persistent agent setup, how can we propagate AD User/Group information to FortiGate without Connector-based FSSO? Currently, with Fabric-based SSO I only receive Dynamic-FortiNAC Tag.

 

Looking forward to your insights!

Thank you!

 

Labels:
662
2 Solutions
ebilcari
Staff
Staff

Created on ‎07-29-2024 07:29 AM

Yes, the classic FSSO is marked as deprecated by FGT as shown here and also is not actively supported by FNAC. It will not be removed soon (as I know), so as long as it works it can be still kept in production.

The FNAC tag dynamic address is the recommended way for new configurations. The concept and the results are pretty much the same. It offers better integration since FNAC is now joined in the Security fabric.

You will still be able to send tags and also LDAP groups as tags, entries will be automatically created in FGT and filled with IPs:

tags.png

FNAC config:

model config.PNG

 

Same tag, will list all the interested IP and can be applied in a firewall policy:

fw policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

638
ebilcari
Staff
Staff
In response to tagayev

Created on ‎07-30-2024 04:50 AM

Yes correct, the tags will be auto created in FGT only after the first host/IP hits a NAP. This is by design, the first step is to achieve visibility and after verifying that the information is correct to proceed enforcing the firewall policies. Currently there is no way to push all the available tags/groups at once in FGT.
If you want to have them predefined, you can try to manually create them in FGT, the format is <FNAC serial>_<Group name>.

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

592
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎07-29-2024 07:29 AM

Yes, the classic FSSO is marked as deprecated by FGT as shown here and also is not actively supported by FNAC. It will not be removed soon (as I know), so as long as it works it can be still kept in production.

The FNAC tag dynamic address is the recommended way for new configurations. The concept and the results are pretty much the same. It offers better integration since FNAC is now joined in the Security fabric.

You will still be able to send tags and also LDAP groups as tags, entries will be automatically created in FGT and filled with IPs:

tags.png

FNAC config:

model config.PNG

 

Same tag, will list all the interested IP and can be applied in a firewall policy:

fw policy.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
639
tagayev
New Contributor II

Created on ‎07-30-2024 03:45 AM

Thank you @ebilcari  for your detailed response. I have verified the functionality, and it works as described. However, I noticed that tags need to be pushed by "Network Access" or another event, and only tags related to that event appear in FortiGate Addresses. With FSSO, all AD groups appear in FortiGate Users as soon as FSSO is enabled.

Is there a method to push all AD group-related tags to the Security Fabric without waiting for an event? It is inconvenient to trigger an event to push tags to FortiGate and then start writing policies based on those tags. 

I also noticed that "Domain Users" group is not synchronized nether via FSSO nor with TAGs

 

Thanks again for your assistance!

598
0 Kudos
ebilcari
Staff
Staff
In response to tagayev

Created on ‎07-30-2024 04:50 AM

Yes correct, the tags will be auto created in FGT only after the first host/IP hits a NAP. This is by design, the first step is to achieve visibility and after verifying that the information is correct to proceed enforcing the firewall policies. Currently there is no way to push all the available tags/groups at once in FGT.
If you want to have them predefined, you can try to manually create them in FGT, the format is <FNAC serial>_<Group name>.

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
593
tagayev
New Contributor II
In response to ebilcari

Created on ‎09-16-2024 10:38 AM

@ebilcari wrote:

Another possible "trick" could be to include one of the "test/admin" hosts to all the groups and tags. After it will hit the policy all that information should be sent to the FGT (just an idea, haven't tested it).

Your idea is perfect. Checked it recently and it works.

Thank you very much for the help!

236
0 Kudos
ebilcari
Staff
Staff
In response to tagayev

Created on ‎09-24-2024 03:03 AM

Thank you for your feedback, glad to be of help.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
161
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.