Hi,
In our previous NG-Firewall solution we had an option to create firewall rules filtering based on a user or a group from Active Directory. We simply had an agent that transmited the user and group membership data to the firewall so the firewall could decide based on logged user from the workstation, its group membership and application proccess trying to access the destination.
FortiGate has this functionality, but we are considering potencial licensing issues. I know that FortiAuthenticator provides this functionality as well as a lot more, but it is licensed per user or device on top of FortiGuard and FortiCare.
Can we use menctioned functionality as its base without FortiAuthenticator and avoid aditional cost or it is required to buy FortiAuthenticator to be able to place AD user or group as source or destination firewall rule?
Also, will those AD and App based rules work with Free FortiClient when a user is authenticated to the VPN?
Solved! Go to Solution.
Created on 04-05-2024 12:45 AM Edited on 04-05-2024 12:45 AM
Hello @marko7781 ,
There are no additional licenses for FSSO, but it will only work within Fortinet products.
regards,
Sheikh
Hello @marko7781 ,
Actually, it all depends on your needs. FortiAuthenticator is capable of much more than just giving FortiGate access to LDAP users and groups. It is an identity and access management solution. See the datasheet below.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAuthenticator.pdf
There is some other information that might help you understand FSSO agents and their mode of operation. Moreover, these LDAP groups provided by the FSSO agent or collector agent can be used for SSLVPN or any other policies in FortiGate.
regards,
Sheikh
Hello @Sheikh ,
Actually what we need is:
- To be able to filter access to network resources by using AD user and group attributes rather than IP addresses.
- To be able to retrieve information in the firewall logs about the users that was allowed or denied firewall policy along with the network information and application used (example: user dsmith, application chrome.exe, source IP, destination IP...).
- Using the Free FortiClient for VPN access we should be able to accomplish the same effect as when the workstation is in the local network.
If we have FortiGuard and FortiCare already in place, do we need additional licenses for this requirement?
Hello, have you got any updates if we need a license for functionalities mentioned in above answer?
Created on 04-05-2024 12:45 AM Edited on 04-05-2024 12:45 AM
Hello @marko7781 ,
There are no additional licenses for FSSO, but it will only work within Fortinet products.
regards,
Sheikh
Thank you for reply.
Hi @thiago34 ,
I believe now you need to specify the address or address group configured for this user group.
(Which IPs are expected from these users)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.