Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
a5dev
New Contributor

Firewall Group vs Fortinet SSO Group

I have the FSSO Agent installed on both of my Domain Controllers and it's wired up to my FortiGate.

 

It seems logical to me that I would want to create groups on the FortiGate that come from Active Directory. This way, whenever I add or remove a user from my AD group, it auto syncs with the Firewall.

 

On the FortiGate I found 2 ways to link an AD Group to the Firewall.

 

Method 1:

Create a new Group. Select Firewall.

In the Remote Groups section click the Add button.

Select my domain controller.

Select the Active Directory group from the list.

 

Method 2:

Create a new Group. Select Fortinet Single Sign-On (FSSO)

Select the Active Directory group from the list.

 

Same end result? What's the difference? Benefits of one over the other?

 

1 REPLY 1
xsilver_FTNT
Staff
Staff

First, there is no "auto sync" from LDAP, or any other system, for users from outer source to FortiGate [FGT].

That feature is on FortiAuthenticator [FAC]. Where it serves primarily to add additional non-LDAP attributes and features to user account, usually 2FA (OTP) token .. especially FortiTokens. And to do automatic token provisioning.

Which is not your case.

 

Method 1

that creates what's called 'Group Match' .. in this case, as you state selection of AD, probably LDAP based group match. So and if all around set properly, then whenever users' traffic hits policy with this group, then active authentication (read "prompt for authentication") is created and user have to authenticate manually.

AND if he authenticates OK against set LDAP, and IS also member of mentioned group, then he is considered authenticated. Mentioned bond to specific group mean that not just anyone who successfully authenticate against AD can pass, but only member of LDAP group will be considered member of that Firewall group.

 

Method 2

as noted in selected type is FSSO. So Firewall group is bonded to some set ADGroup (show user adgrp). Those ADGroups can be set via bonded LDAP in FSSO connector, or without LDAP in connector directly in FSSO Collector Agent on your DC in Group Filter section.

If set properly then once user successfully authenticate somewhere in windows domain, his logon is processed and according to group filter reported from FSSO Collector Agent to connected FGT units.

This is passive authentication and if such group is used in policy, then when users' traffic hits that policy it will make a lookup if we do have pre-authenticated user from source IP, and what's his group membership. If any of his groups matches those set in policy, he is allowed to pass through without any active authentication prompt.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors