I have a question about Web Filtering while utilizing the Fortinet SSO Agent (v5.0.287). We have a Fortigate perimeter firewall and the Fortinet SSO Agent is installed on both our primary and backup DCs. That configuration works as expected. However, we’re in the process of implementing an internal Fortigate firewall, which servers will eventually sit behind. During testing, we’ve found that all devices sitting behind the internal firewall default to the universal web filtering profile on the perimeter firewall. (The internal firewall has a web filter license, but it’s not enabled.) The Fortinet SSO Agent lists the test device/user in its Logon User List with the user’s correct AD web filter group, but that user’s web filter group is NOT recognized by the perimeter firewall. All other traffic in/out of the internal firewall is working at this point because there are no restrictions yet. We can ping and tracert in and out through the internal firewall, access internal network devices, and Internet access is there but limited because of the default web filter profile issue. Any ideas why web filtering is not working as expected when a device is behind the internal firewall?
When using the Fortinet SSO Agent with multiple Fortigate firewalls, ensure that each firewall is properly configured to communicate with the SSO agent. Set up the SSO agent to synchronize user identity information across all firewalls. This allows consistent web filtering policies to be applied based on user identity, regardless of which firewall the traffic passes through. Ensure the SSO agent is correctly integrated and that each Fortigate firewall is added to the SSO agent’s configuration to maintain seamless user authentication and web filtering.
Thanks for that information. We now have the internal firewall synced with the SSO agents and can now see the user information there too. However, the perimeter firewall is still applying the default web profile for each user rather than the one assigned per user. What else are we missing? The web profiles on the internal router are not set to be the same as on the perimeter firewall. Do they need to match? For maintenance purposes, we'd like to let the perimeter firewall continue to do all the web filtering tasks.
Hi FSB-mctn
Are you NATing the traffic at internal firewall level? If so then you should disable NAT, because the perimeter firewall must see the real IP of the client (as packet source) so that FSSO works as expected.
AEK, NAT was actually on so we turned it off - rightfully so. We then had to make a config change on our perimeter firewall for the interface to the backbone network and set new static routes to force the appropriate traffic to/through the internal firewall. With those changes and implementing the response from mickhence to sync the internal firewall with the fsso agent(s), our web filtering issue is now resolved.
When an overall solution involves responses from multiple responders, how am I to fairly [Accept as Solution]?
Happy to hear that the issue is fixed.
In such case I think you may mark each response as solution.
You can mark multiple solutions - I would suggest both AEK's post and mickhence, they've both given you excellent advice :).
Cheers,
Debbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.