FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 229274



This article describes the configuration steps necessary to apply FSSO rules to SSL VPN users.




FortiOS 7.0 and newer versions.




FSSO rules can be used for the traffic generated by remote access VPN users.

In order to have a proper and actual mapping of the username to the IP address that was assigned to the user by a FortiGate, the collector agent has to be aware of the IP address that was assigned to a given VPN user.


This can be done with RADIUS accounting messages. See the following document for an explanation:


Dynamic address support for SSL VPN policies.


However, the environment may not have a RADIUS server or cannot support a RADIUS server.

If this is the case, the user identity information can be delivered to the collector agent through Syslog.


A remote user group can be used for authentication while an FSSO group is separately used for authorization. Using a dummy policy for remote user authentication and a policy for FSSO group authorization, FSSO can be used with SSL VPN tunnels.

This image shows the authentication and authorization flow:




In this example, the Collector Agent is used as a syslog server. It gets syslog messages when the user connects to the VPN. By doing so, it gets the username and the actual IP Address that was received during the VPN connection queries the LDAP server for the group membership, and forms the FSSO entry, which later is sent to the FortiGate.




The user PC here is the PC with the IP address

The Collector Agent is running on a dedicated server with IP address

AD is running on a server with IP address

AD is already configured with a group called sslvpn-users. The group sslvpn-users-fsso and user jsmith are members of these two groups.


Configure the Fortinet Single Sign-On Collector Agent.


  1. Configure a password for FSSO:




  1. Enable the Syslog Listener:





  2. Configure the LDAP Server:






    The LDAP server is necessary to configure the user group membership for the SSLVPN user.



  3. Configure Syslog Rules:




    MicrosoftTeams-image (16)1.png


    NOTE: Due to the nature of the FortiOS log message structure, the field 'Client IPv4 Field' must be configured as stated in the image with a space character at the end of the line:




    The remaining fields should not contain a space character at the end of the line:


    Name: fsso-sslvpn-syslog

    Trigger: logdesc=”SSL

    Logon: 0101039947

    Update: 0101039949

    Logoff: 0101039948

    Username Field: user=”{{:user}}”


    Test the configured rule. If the rule is configured properly, the result will be as shown:


    MicrosoftTeams-image (16).png



  4.  Map the configured rule to the FortiGate and LDAP:







    Here, is the IP address of the FortiGate.


Configure the FortiGate:


To configure the FortiGate in the CLI:


  1. Set up the LDAP server:


config user ldap

       edit "AD"

           set server ""

           set cnid "samaccountname"

           set dn "dc=test,dc=lab"

           set type regular

           set username "TEST\\Administrator"

           set password admin_password




  1. Setup FSSO connector:


    config user fsso

        edit "FSSO_CA"

            set server ""

            set password 123456

            set ldap-server "AD"





  2. Create a user group for the LDAP server:


    config user group
        edit "sslvpn_users"
            set member "AD"
                config match
                    edit 1
                        set server-name "AD"
                        set group-name "CN=sslvpn-users,CN=Users,DC=TEST,DC=LAB"



  3. Create an FSSO user group:


    config user group

        edit "sslvpn-users-fsso"

            set group-type fsso-service

            set member "CN=fsso_group1,CN=Users,DC=TEST,DC=LAB"





  4. Configure appropriate SSLVPN portal and authentication rules:


    config vpn ssl web portal
        edit "none"
        edit "test_portal"
            set tunnel-mode enable
            set ip-pools "SSLVPN_TUNNEL_ADDR1"


    config vpn ssl settings

        set servercert "Fortinet_Factory"

        set idle-timeout 0

        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

        set dns-server1

        set source-interface "port1"

        set source-address "all"

        set source-address6 "all"

        set default-portal "none"

        config authentication-rule

            edit 1

                set groups "sslvpn_users"

                set portal "test_portal"






  5. Configure firewall addresses:


    config firewall address

        edit "none"

            set subnet




  6. Create one dummy policy for authentication only, and one regular FSSO policy for authorization:


    config firewall policy

        edit 1

            set name "sslvpn-authentication-policy "

            set srcintf "ssl.root"

            set dstintf "port1"

            set action accept

            set srcaddr "all"

            set dstaddr "none"

            set schedule "always"

            set service "ALL"

            set groups "sslvpn_users"


        edit 2

            set name " sslvpn-authorization-policy "

            set srcintf "ssl.root"

            set dstintf "port1"

            set action accept

            set srcaddr "all"

            set dstaddr "all"

            set schedule "always"

            set service "ALL"

            set groups "sslvpn-users-fsso"




  7. Configure Syslog logging:

    Only the specific syslog messages that are listed in the free-style log filter will be sent to the collector agent:


    config log syslogd setting

        set status enable

        set server ""



    config log syslogd filter

        set forward-traffic disable

        set local-traffic disable

        set multicast-traffic disable

        set sniffer-traffic disable

        set ztna-traffic disable

        set anomaly disable

        set voip disable

        set gtp disable

        config free-style

            edit 1

                set category event

                set filter "((logid 0101039947) or (logid 0101039948) or (logid 0101039949))"





    These log IDs contain the necessary information to create the FSSO entry:


    Log ID

    Log Description

    Log Meaning



    SSL VPN tunnel up



    SSL VPN tunnel down



    SSL VPN statistics




    get vpn ssl monitor


    SSL-VPN Login Users:

     Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth

     0       jsmith          sslvpn_users   16(1)            28750  28750 0/0     0/0     0


    SSL-VPN sessions:

     Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP

     0       jsmith          sslvpn_users   50      10819/0



    diag firewall auth list


            type: fsso, id: 0, duration: 12, idled: 12

            server: FSSO_CA

            packets: in 0 out 0, bytes: in 0 out 0

            group_id: 3 33554433

            group_name: sslvpn-users-fsso CN=fsso_group1,CN=Users,DC=TEST,DC=LAB

   , jsmith

            type: fw, id: 0, duration: 13, idled: 13

            expire: 28786, allow-idle: 28799

            flag(80): sslvpn

            server: AD

            packets: in 0 out 0, bytes: in 0 out 0

            group_id: 2

            group_name: sslvpn_users


    The first entry is the entry that came from the collector agent as an FSSO logon (type: fsso).

    The second entry is the user authentication for the SSL VPN connection (type: fw, flag(80): sslvpn).