Monthly Archives: April 2016

Link Aggregation – FortiBalancer

Chapter 3 Link Aggregation

3.1 Overview

This section describes link aggregation functionality of the network. Link Aggregation is also called trunking, which can greatly improve network performance and stability.

3.2 Understanding Link Aggregation

Link Aggregation or trunking is a method of combining physical network links into a single logical link for increased bandwidth. With Link Aggregation, we are able to increase the capacity and availability of the communication channel between devices. Two or more Gigabit Ethernet connections are combined in order to increase the bandwidth capability and create resilient and redundant links.

The FortiBalancer appliance supports at most 6 bond interfaces, and at most 12 system interfaces can be added to a bond interface. The bond interface will check the status of the system interfaces. If a system interface becomes down, the traffic processed by this interface will be directed to other working system interfaces in the bond interface.

To add a system interface into a bond interface, the administrator can further set the interface as the primary or backup interface in the bond. Multiple primary or backup interfaces can be set in a bond. When all the primary interfaces in the bond fail, the backup interfaces will take the place of primary interfaces to work.

Note: To bind a system interface with a bond interface, the system interface should be configured with no IP address information. If there is IP configuration on the system interface, the administrator needs to remove the IP configuration first. If otherwise, the system will refuse to add the system interface into the bond.

In addition, the FortiBalancer appliance also supports configuring MNET or VLAN on bond interface. The bond interface configuration must be performed before configuring MNET or VLAN on it.

3.3 Link Aggregation Configuration

3.3.1 Configuration Guidelines

Before you start to configure link aggregation, please take a moment to familiarize yourself with the network architecture for link aggregation configuration.

Figure 3-1 Link Aggregation Configuration

Table 3-1 General Settings of Link Aggregation

Operation	Command
Bond system interfaces	bond interface <bond_name> <interface_name> [1\|0]
Operation	Command
Assign a name for the bond interface	bond name <bond_id> <bond_name>
Assign IP address to the bond interface	ip address {system_ifname\|mnet_ifname\|vlan_ifname\|bond_ifname} <ip_address> {netmask\|prefix}
Assign default route	ip route default <gateway_ip>

3.3.2 Configuration Example via CLI

Step 1 Bind system interfaces with bond interface

In our example, we bind the “port1” interface and the “port4” interface with the bond interface bond1, and further set the “port1” interface as the primary, and “port4” as the backup in the bond interface.

FortiBalancer(config)#bond interface bond1 port1 1

FortiBalancer(config)#bond interface bond1 port4 0

Step 2 Assign a name for the bond interface

We can set the bond name for the configured bond interface by using the “bond name” command.

FortiBalancer(config)#bond name bond1 link1

Step 3 Assign an IP address and netmask to the bond interface

FortiBalancer(config)#ip address link1 10.10.0.2 255.255.255.0

Step 4 Set the gateway IP address

FortiBalancer(config)#ip route default 10.10.0.1

To verify that FortiBalancer appliance is indeed actively deployed within this network infrastructure, you may ping the gateway IP by using the “ping” command.

If these configurations are entered correctly, you will receive the following return messages.

FortiBalancer(config)#ping 10.10.0.1

PING 10.10.0.1(10.10.0.1): 56 data bytes

64 bytes from 10.10.0.1: icmp_seq=0 ttl=128 time=0.671 ms

64 bytes from 10.10.0.1: icmp_seq=1 ttl=128 time=0.580 ms

64 bytes from 10.10.0.1: icmp_seq=2 ttl=128 time=0.529 ms

64 bytes from 10.10.0.1: icmp_seq=3 ttl=128 time=0.486 ms

64 bytes from 10.10.0.1: icmp_seq=4 ttl=128 time=0.638 ms

— 10.10.0.1 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.486/0.581/0.671/0.068 ms

Advanced Network Configuration – FortiBalancer

Leave a reply

Chapter 2 Advanced Network Configuration

2.1 Overview

This section focuses on introducing the advanced network configurations, including VLAN, MNET, Port Forwarding, NAT, Dynamic Routing and IP Pool functionalities and configurations on the FortiBalancer appliance.

2.1.1 VLAN

VLAN (Virtual Local Area Network) is used to logically segment a network into smaller networks by application, or function, without regard to the physical location of the users. Each VLAN is considered a separate logical network. There are two types of VLAN specifications for Ethernet network.

Port-based VLAN

Define VLAN based on port number of the switch. Port-based VLAN is easy to configure but often limited to one single switch.

Tag-based VLAN

Tag-based VLAN allows a group of devices on different physical LAN segments to communicate with each other as if they were all on the same physical LAN segment. In tag-based VLAN, an identifying number, called a “VLAN ID” or a “tag”, is written into the Ethernet frame itself, so that switches and routers can use this information to make switching decisions. A tagged frame is four bytes longer than an untagged frame and contains two bytes of Tag Protocol Identifier (TPID) and two bytes of Tag Control Information (TCI).

The FortiBalancer appliance supports Tag-based VLAN on all interfaces. Tag-based VLAN (also known as Trunking by some vendors) is where a tag is inserted into the Ethernet frame so that switches and routers can use this information to make switching decisions.

The FortiBalancer appliance’s VLAN can work in both the IPv4 and IPv6 network environments. Administrator can view all the IPv4 and IPv6-based VLAN configurations by executing the command “show interface”.

For example:

IPv4-based VLAN:

FortiBalancer(config)#show interface

……

V1(vlan1): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500 inet 10.8.66.96 netmask 0xffffff00 broadcast 10.8.66.255 ether 00:25:90:39:97:f3 media: autoselect status: no carrier

vlan : 3 parent interface: port1 webwall status: OFF packet drop (not permit): 0

tcp 0 udp 0 icmp 0 ah 0 esp 0 packet drop (deny): 0

tcp 0 udp 0 icmp 0 ah 0 esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

IPv6-based VLAN:

FortiBalancer(config)#show interface

……

V2(vlan2): flags=8843<UP,BROADCAST,RUNNING,SIMPLEX> mtu 1500 inet6 fe80::230:48ff:fe93:a73e prefixlen 64 scopeid 0xc ether 00:30:48:93:a7:41 media: autoselect status: no carrier

vlan : 20 parent interface: port2 webwall status: OFF packet drop (not permit): 0

tcp 0 udp 0 icmp 0 ah 0 esp 0 packet drop (deny): 0

tcp 0 udp 0 icmp 0 ah 0 esp 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

2.1.2 MNET

MNET (Multi-Netting) is used to assign more than one IP address on a physical interface. Here is an example for MNET:

A new Internet site is under development for a small corporation. The network administrator knows that the site will grow in the future but today there is no need for a complex network. A server is installed that will be used as Web server, FTP server, mail server, and the corporation’s DNS server. Later, when the use of the network services grows, new servers will be used for each of the functions.

When the time comes to address the current server, the administrator has a choice. A single IP address can be used on the server. Later when the new servers are needed, new IP addresses can be assigned to them.

Another way of assigning addresses can be used. The administrator can assign four IP addresses to the server. Each IP address will match the IP address to be used in the future on the new servers. The administrator now knows what addresses will be used and can create DNS entries for the new devices with the correct addresses. This process of providing more than one IP address on an interface is often called multi-netting.

The FortiBalancer appliance’s MNET can work in both the IPv4 and IPv6 network environments.

2.1.3 Port Forwarding

Port forwarding allows you to forward any traffic that is destined to an IP/port pair on the FortiBalancer appliance, to an IP/port pair on the inside network. External clients can directly access the internal servers via an address on the outside subnet.

Note: Port Forwarding feature cannot support FTP, users are recommended to use SLB feature instead.

For example, say that you are running SSH on a real server on the port2 interface subnet, and you want to connect to the server from a client in the outside. To get this information from the outside world to the desired inside IP/port pair, we will have to add a port forward on the FortiBalancer appliance.

Figure 2-1 Port Forwarding

2.1.4 NAT

NAT (Network Address Translation) is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. NAT is used when you want your real servers on the inside network to access the outside network. Using NAT, all packets will appear as though they came from the FortiBalancer appliance.

2.1.4.1 How NAT Works

When a client on the inside network contacts a machine on the outside network, it sends out IP packets destined for that machine. These packets contain all the addressing information necessary to get them to their destination.

When the packets pass through the NAT gateway, they will be modified so that they appear to be coming from the NAT gateway itself. The NAT gateway will record the changes it makes in its state table so that it can reverse the changes on return packets and ensure that return packets are passed through the firewall without being blocked.

NAT Traversal of PPTP

The FortiBalancer appliance supports NAT traversal of PPTP (Point-to-Point Tunneling Protocol). PPTP is a tunneling mechanism to transfer PPP (Point-to-Point Protocol) frames across intermediate networks. PPTP uses GRE (Generic Routing Encapsulation) encapsulation for PPP payload. However, typically GRE tunnels cannot traverse the NAT device (i.e. the FortiBalancer appliance). To resolve this problem, a PPTP NAT editor is used on the FortiBalancer appliance. This editor is an additional software component on the NAT device to perform translation for IP addresses, TCP ports, and call ID.

2.1.4.2 Supported NAT Types

The FortiBalancer appliance supports four types of NAT:

Static NAT

Mapping an IP address on one-to-one basis. By configuring static NAT, the FortiBalancer appliance maps an inside real IP address to a VIP address on the outside. For inbound traffic directed from an outside VIP, the traffic will be forwarded to a corresponding inside real IP without any change in the port number or protocol value. Thus, hosts on the inside network will be directly accessible via the VIP on the port1 interface. The outbound traffic coming from an inside host will use the corresponding outside VIP as the source IP for the outgoing traffic. The port number and protocol remain unchanged. TCP, UDP and ICMP are supported for static NAT.

In static NAT, the computer with the IP address (192.168.10.13) will be always translated into 10.10.0.3:

Figure 2-2 Static NAT

Port-level NAT

Mapping multiple inside real IP addresses to a single VIP address with a different port number assignment on the port1 interface. By configuring port-level NAT, the group of hosts on the inside network will be directly accessible via the VIP on the port1 interface.

In port-level NAT, the computers with the IP address in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.3 with a different port on the outside network:

Figure 2-3 Port-level NAT

If a port-level NAT is configured for an inside real IP address, static NAT should take precedence over the regular NAT policy. VIPs used by static NAT should not be used by regular NAT. Also, one static NAT VIP should not map to multiple real IP addresses.

IP pool-based dynamic NAT

Mapping one or multiple inside real IP addresses to an IP pool which contains multiple IP addresses. By configuring IP pool-based dynamic NAT, a group of hosts on the inside network will be translated into via the multiple IP addresses in IP pool.

As shown below, in IP pool-based dynamic NAT, the client IP addresses in the range from 192.168.10.11 to 192.168.10.13 will be translated into 10.0.0.1 to 10.0.0.3 and get connected to the Internet.

Figure 2-4 IP Pool-based Dynamic NAT

Destination IP based NAT

FortiBalancer supports NAT based on destination IP address. The destination IP based NAT can be performed only when the destination IP address is in the specified network segment and in the same network segment as the route gateway. If the gateway is set to the default value 0.0.0.0, the destination IP/IP pool for NAT and the route gateway should be within the same network segment.

Note: For IPv6 address, only TCP and UDP packets can be NATTed and no gateway can be configured.

Configuration Example via CLI

Step 1 Configure IP pool

FortiBalancer(config)#ip pool “pool1” 172.16.72.45 172.16.72.55

FortiBalancer(config)#ip pool “pool3” 3ffd::45 3ffd::46

Step 2 Configure destination NAT

FortiBalancer(config)#nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101

FortiBalancer(config)#nat portdst “pool3” 3ff1:: 65 50

Check NAT configurations and statistics

The following two commands can be used to check the NAT configurations and statistics. Ø Check NAT table

FortiBalancer(config)#show nat table

From 172.16.73.108(5208) through 172.16.72.53(50776) to 172.16.72.77(80)

From 172.16.73.108(5200) through 172.16.72.53(50768) to 172.16.72.77(80)

From 172.16.73.108(5880) through 172.16.72.53(51448) to 172.16.72.77(80)

From 172.16.73.108(6008) through 172.16.72.53(51576) to 172.16.72.77(80)

From 3ffd::108(42720) through 3ffd (45672) to 3ff1::77(80)

From 3ffd::108(42728) through 3ffd (45680) to 3ff1::77(80)

From 3ffd::108(43336) through 3ffd (46288) to 3ff1::77(80)

From 3ffd::108(43376) through 3ffd (46328) to 3ff1::77(80)

From 3ffd::108(43464) through 3ffd (46416) to 3ff1::77(80)

From 3ffd::108(43408) through 3ffd (46360) to 3ff1::77(80)

From 3ffd::108(43840) through 3ffd (46792) to 3ff1::77(80)

From 3ffd::108(43896) through 3ffd (46848) to 3ff1::77(80)

Ø Check NAT statistics

FortiBalancer(config)#show statistics nat

nat portdst “pool1” 172.16.72.0 255.255.255.0 500 172.16.72.101 protol(total/current):icmp(1/1) udp(0/0) tcp(23724/251) nat portdst “pool3” 3ff1:: 65 50

protol(total/current):icmp(0/0) udp(0/0) tcp(23716/246)

2.1.5 Dynamic Routing

Dynamic Routing is a process in which routers automatically adjust to changes in network topology or traffic. It is more robust than static routing. Now, there are several protocols used to support dynamic routing including RIPv1 (Routing Information Protocol version 1), RIPv2 (Routing Information Protocol version 2) and OSPFv2 (Open Shortest Path First version 2) and OSPFv3 (Open Shortest Path First version 3).

Dynamic Routing is especially suitable for today’s large, constantly changed networks. It improves performance by allowing network routers to adjust to changes in the network topology. And it distributes routing information between routers and chooses the best path for the network, saving money and improving performance.

2.1.6 IP Pool

An IP pool contains multiple IP addresses from one IP segment. Administrators can use the pre-defined IP pools for NAT and SLB configurations.

For the NAT module, IP pool can be defined on the outside interface to realize translation of multiple outgoing IP addresses. This helps increase the concurrent capacity and fully utilize the IP resources. For the SLB module, IP pool can be defined for real server groups. Under the SLB reverse mode, when different real server groups are selected, FortiBalancer can select different IP addresses in IP pools to connect to real servers. This not only increases the concurrent connection capacity, but also provides a more flexible configuration method for administrators.

FortiBalancer appliance supports multiple IP pools, and at most 256 IP addresses can be added in one IP pool. The maximum number of IP pools allowed on the FortiBalancer appliance varies with different system memories. Please see the table below for details.

Table 2-1 Maximum IP Pool Entry

System Memory	Maximum IP Pool Number
4GB	32
8GB	64
16GB	128
32GB	256

Both IPv4 and IPv6 addresses can be configured in the IP pool.

When configuring the IP pool, please note:

Each IP pool should be assigned with a unique name in the system.
The IP addresses in one IP pool must belong to the same subnet.
The subnet can be the same between two or more pools.
One IP address can belong to multiple IP pools.
IP segment is composed of continuous IPs, and an IP pool can be composed of multiple IP segments.
IP addresses in IP pool must be legal.
- IP addresses which are not covered by any interface subnet are illegal.
- Broadcast IP address is illegal. IP with hostID 0 is illegal.

Pages: 1 2

Initial System Setup & Configuration – FortiBalancer

Leave a reply

Chapter 1 Initial System Setup & Configuration

1.1 Overview

This section will outline the initial connection, basic setup and configuration of the FortiBalancer appliance. The easy to follow setup steps are introduced below.

1.1.1 Connecting to FortiBalancer

There are three ways to connect to the FortiBalancer appliance in order to begin the configuration:

Console (recommended)
SSH
Web UI

1.1.1.1 Console Connection

If you choose the console connection, first connect the console cable (supplied) to the System Console Port on the FortiBalancer appliance, and then set up your console as follows:

Table 1-1 Console Setup

Setting	Value
Emulation	VT 100
Baud	9600
Number of Bits	8
Parity	No
Stop Bits	1
Flow Control	No

Open a connection between the console and the FortiBalancer appliance. Once this connection is opened, users will see the FortiBalancer appliance prompt and may begin the configuration process.

1.1.1.2 SSH Connection

Once the IP parameters are configured and the SSH service is activated, the FortiBalancer appliance is prepared for custom configuration. You may access the command line interface (CLI) using SSH connection. Below gives an example.

Note: If you require SSH software for Windows, Mac OS X or UNIX, it is available on-line at http://www.openssh.com.

To establish an SSH connection:

Step 1 Run the SSH program on your workstation

>> # ssh admin@10.3.55.251

10.3.55.251 is the FortiBalancer appliance’s IP address.

Step 2 After you establish a connection, the FortiBalancer appliance will ask you for a privilege password.

>> # ssh admin@10.3.55.251 >> # admin@10.3.55.251’s password:

Upon the first startup, the user will be prompted for login username and password. The default username is “admin”, and the default password is “admin”.

Note: You must have the IP information setup and basic network connectivity in order to access the box through SSH.

1.1.1.3 Web UI Connection

This section introduces the connection method via FortiBalancer web UI (Web User Interface). The FortiBalancer web UI can:

Improve user experience with fast response time
Maximize the functionality and performance of the FortiBalancer appliance
Simplify system management

If administrators want to take full advantage of the Web UI access to the FortiBalancer appliance, please first assign a valid and unique IP address and a port number to the web UI. For example:

FortiBalancer(config)#webui ip 10.10.0.2

FortiBalancer(config)#webui port 8888

On the FortiBalancer appliance, we use port1’s IP address as the default web UI IP address and the port 8888 as the default web UI port.

Then, turn on the web UI function:

FortiBalancer(config)#webui on

Now open your browser of choice and connect to the FortiBalancer appliance. To do this, simply type in the address bar as such:

https://10.10.0.2:8888

And now press “Enter”. The welcome screen should appear in your browser’s window, protected by the familiar prompt asking for user name and password. The default username and password is admin and admin, just as before. If this screen does not appear, verify the address and port designations for both the port1 interface and web UI port.

The FortiBalancer appliance web UI supports the following browsers:

IE (Recommended)

Firefox

Chrome

Browser resolution should be set to 1024×786 or higher.

1.1.2 Reading the LED

1.1.2.1 LEDs in the Front Panel

The FortiBalancer appliance possesses three LEDs in the front panel: one yellow, one green and one blue. The following is the usage description of each LED in the front panel.

Table 1-2 LEDs in the Front Panel

Color	Meaning	Description
Yellow	Fault	This light is always off when FortiBalancer appliance keeps normal. It means the following problems have come out if this light turns on: The CPU fan stops working.
Color	Meaning	Description
		The CPU is overheated (equal to or over 85℃). The system is overheated (equal to or over 75℃ on 1U appliances, or 85℃ on 2U appliances). One of the power supply modules breaks down (If the FortiBalancer appliance supports the dual power supply), the redundant power supply will turn on the Buzzer at the same time.
Green	Run	The green LED should blink each second when system is idle. CPU activity will be indicated by the blinking of this light; the faster the rate, the higher the CPU activity.
Blue	Power	Indication of power and the active state (off\|on) of the FortiBalancer appliance.

Note: If the yellow LED is lighted, please contact Customer Support. You can view system logs to get more information about the problem.

1.1.2.2 LEDs in the Rear Panel

The FortiBalancer appliance provides two LEDs for every Ethernet port in the rear panel:

Link LED: indicates the speed mode of the link, which can be 1 Gbps, 10 Mbps or 100 Mbps.
Activity LED: indicates the activity status of the network port.

The following table describes the meaning of each LED on the onboard and add-on NICs of the FortiBalancer appliance.

Table 1-3 LED for Ethernet Ports in Rear Panel

NIC Type	LED Name	Description
Onboard NIC	Link LED	The Link LED has the following indicator colors: Amber: The speed mode is 1 Gbps. Green: The speed mode is 100 Mbps. Off: No Connection or the speed mode is 10 Mbps.
Onboard NIC	Activity LED	The Activity LED has the following indicator colors: Yellow and blinking: Active Off: Inactive
Add-on NIC	Link LED	The Link LED has the Yellow indicator color, indicating 1 Gbps, 10 Mbps or 100 Mbps speed mode.
Add-on NIC	Activity LED	The Activity LED has the following indicator colors: Green and blinking: Active Off: Inactive

1.1.3 Command Line Interface Structure

In this section, you will be provided an overview of the Command Line Interface (CLI) covering the following topics:

Command Usage Breakdown
Levels of Access Control

1.1.3.1 Command Usage Breakdown

The CLI allows you to configure and control key functions of the FortiBalancer appliance to better manage the performance of your servers and the accessibility to the contents therein.

The FortiBalancer appliance software has been designed with specific enhancements to make interaction with the Appliance more user friendly, such as Shorthand. Shorthand is the intuitive method by which the Appliance completes CLI commands based on the first letters entered. Other user shortcuts are listed below:

Table 1-4 List of Shortcuts

CLI Shortcuts	Operation
^a/^e	Move the cursor to the beginning/end of a line.
^f/^b	Move the cursor forward/backward one character.
Esc-f	Move the cursor forward one word.
Esc-b	Move the cursor backward one word.
^d	Delete the character under the cursor.
^k	Delete from the cursor to the end of the line.
^u	Delete the entire line.

Note: The symbol “^” indicates holding down the Control (Ctrl) Key while pressing the letter that appears after the symbol.

The FortiBalancer CLI commands will generally adhere to the following style conventions: Table 1-5 FortiBalancer CLI Style Conventions

Style	Convention
Bold	The body of a CLI command is in Boldface.
Italic	CLI parameters are in Italic.
< >	Parameters in angle brackets < > are required.
[ ]	Parameters in square brackets [ ] are optional. Subcommand such as “no”, “show” and “clear” commands.
{x\|y\|…}	Alternative items are grouped in braces and separated by vertical bars. At least one should be selected.
[x\|y\|…]	Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

For example:

ip address {system_ifname|mnet_ifname|vlan_ifname|bond_ifname} <ip_address> {netmask|prefix}

Note: If a string we input for configuring a parameter starts with figure, or the string contains spaces, we must put the configuration string within double quotes to make sure that we can configure the command correctly.

1.1.3.2 Levels of Access Control

The FortiBalancer appliance’s Command Line Interface offers three levels of configuration and access to the OS. The CLI prompt of each level consists of the host name of the FortiBalancer appliance followed by a unique cursor prompt, either “>”, “#” or “(config)#”.

The first level is for basic network troubleshooting and is called the User level. At this level, the user is only authorized to operate some very basic commands and non-critical functions such as ping and traceroute. Here is how the User level prompt appears in the CLI.

FortiBalancer>

The second level of administration is the Enable level. Users at this level have access to a majority of view only commands such as “show version”. Users in the Enable level may execute commands from both the User and Enable levels. In order to gain access to this level of appliance management, the user must employ the command “enable”. Once this command is entered, the FortiBalancer appliance prompts the user for the appropriate password. If correct password is entered, the CLI prompt will change from “FortiBalancer>” to “FortiBalancer#”, which means the user is granted access to the Enable level. The default password for the Enable level is null, i.e. users simply need to press “Enter”.

FortiBalancer>enable Enable password:

FortiBalancer#

The final access level is the Config level. It is with this level of authority that the user can make changes to the configuration of the box. No two users can access the Config level at the same time. Once a user has gained access to this level, he or she can implement commands in all three levels. To gain access to the full configurable functions of the FortiBalancer appliance, the user must use the following command:

FortiBalancer#config terminal

Once this command is entered, the CLI prompt will change to:

FortiBalancer(config)#

In the event that Config level is not available because another Config level session has been opened, the administrator can deploy the following command to gain access to the Config level:

FortiBalancer#config terminal force

WARNING:

You are forcing other user to exit configuration mode.

In case the other user is actively changing the system configuration, the result may be unpredictable.

Do you still want to force into Configuration Mode “YES” or “NO”:

Type “YES” and press “Enter”. You will enter the Config level successfully.

For each level the user can type “?” for available commands. For example, entering

“FortiBalancer(config)#slb real ?” will prompt users with all the possible parameters or protocols the CLI will accept with the “slb real” command.

FortiBalancer(config)#slb real ? [enter]

activation Recovery and warm-up time of real service disable Remove real service from load balancing dns Define SLB DNS real service enable Activate real service for load balancing ftp Define SLB FTP real service

Pages: 1 2

Filter Syntax – FortiAuthenticator 4.0

Leave a reply

Filter Syntax

This chapter outlines some basic filter syntax that is used to select users and groups in LDAP User Import, Dynamic LDAP Groups, and Remote User Sync Rules.

Filters are constructed using logical operators:

=	Equal to
~=	Approximately equal to
<=	Lexicographically less than or equal to
>=	Lexicographically greater than or equal to
&	AND
\|	OR
!	NOT

Filters can consist of multiple elements, such as (&(filter1)(filter2)). More information about the query syntax of AD filters, see the following web sites:

Examples

The following examples are for a Windows 2008 AD server with the domain corp.example.com, default domain administrators and users, and an additional group called FW_Admins:

l Users (CN) = atano, pjfry, tleela, tbother l FW_Admins (Security Group) = atano, tbother

An unfiltered browse will return all results from the query, including system and computer accounts. To prevent this and only return user accounts, apply the filter (objectClass=person) or (objectCategory=user).

Even if unfiltered, only user accounts will be imported, so this is only required to clean up the results that are displayed in the GUI.

To filter and return only members of the security group: (&(objectCategory=user)(memberOf=CN=FW_ Admin,DC=corp,DC=example,DC=com)).

It is not possible to use the filter to limit results to CNs or OUs. To achieve this, you must change the Base DN in the LDAP Server configuration. For example, to return only users from the CompanyA OU, create an LDAP Server entry with the following Base DN: OU=CompanyA,DC=corp,DC=example,DC=com.

Filter Syntax

Caveats

Users do not always have a memberOf property for their primary group, this means that querying system groups, such as Domain Users, may return zero results. This can be confusing as these are often the first queries to be tried, and can lead the user to think the filter syntax is incorrect.

For example: (memberOf=CN=Domain Users,CN=Domain

Admins,DC=corp,DC=example,DC=com) will return no valid results.

To return all users in such a group, the filter can be made against the ID value of the Primary Group. So, for Domain Users (Group ID = 513), the filter would be: (primaryGroupId=513). 163

Troubleshooting – FortiAuthenticator 4.0

Leave a reply

Troubleshooting

This chapter provides suggestions to resolve common problems encountered while configuring and using your FortiAuthenticator device, as well as information on viewing debug logs.

For more support, contact Fortinet Customer Service & Support (support.fortinet.com).

Before starting, please ensure that your FortiAuthenticator device is plugged in to an appropriate, and functional, power source.

Troubleshooting

The following table describes some of the basic issues that can occur while using your FortiAuthenticator device, and suggestions on how to solve said issues.

Problem	Suggestions
All user log in attempts fail, there is no response from the FortiAuthenticator device, and there are no entries in the system log.	l Check that the authentication client has been correctly configured. See Adding a FortiAuthenticator unit to your network on page 16. If the authentication client is not configured, all requests are silently dropped. l Verify that traffic is reaching the FortiAuthenticator device. Is there an intervening Firewall blocking 1812/UDP RADIUS Authentication traffic, is the routing correct, is the authentication client configured with correct IP address for the FortiAuthenticator unit, etc.
All user log in attempts fail with the message RADIUS ACCESS-REJECT, and invalid password shown in the logs.	l Verify that the authentication client secrets are identical to those on the FortiAuthenticator unit.
Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid password shown in the logs.	l Reset the user’s password and try again. See Editing a user on page 60. l Have the user privately show their password to the administrator to check for unexpected characters (possibly due to keyboard regionalization issues).

159

Troubleshooting Debug logs

Problem

Suggestions

Generally, user log in attempts are successful, however, an individual user authentication attempt fails with invalid token shown in the logs.

l Verify that the user is not trying to use a previously used PIN. Tokens are One Time Passwords, so you cannot log in twice with the same PIN.

l Verify that the time and timezone on the FortiAuthenticator unit are correct and, preferably, synchronised using NTP. See Configuring the system time, time zone, and date on page 27.

l Verify that the token is correctly synchronized with the

FortiAuthenticator unit, and verify the drift by synchronizing the token. See FortiToken drift adjustment on page 75.

l Verify the user is using the token assigned to them (validate the serial number against the FortiAuthenticator unit configuration). See User management on page 57.

l If the user is using an e-mail or SMS token, verify it is being used within the valid timeout period. See Lockouts on page 55.

Debug logs

Extended debug logs can be accessed by using your web browser to browse to https://<FortiAuthenticator IP Address>/debug.

Debug logs Troubleshooting

Service	Select the service whose logs are shown from the drop-down list: l FSSO Agent l GUI l HA l LDAP l RADIUS Accounting l RADIUS Authentication l SNMP l Startup l Web Server
Enter debug mode	If RADIUS Authentication is selected as the service, the option to enter the debug mode is available. See RADIUS debugging on page 161.
Search	Enter a search term in the search field, then select Search to search the debug logs.
Page navigation	Use the First Page, Previous Page, Next Page, and Last Page icons to navigated through the logs.
Show	Select the number of lines to show per page from the drop-down list. The options are: 100 (default), 250, and 500.

RADIUS debugging

RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.

In the debug logs screen, select RADIUS Authentication from the Service drop-down list, then select Enter debug mode from the toolbar.

Enter the username and password then select OK to test the RADIUS authentication and view the authentication response and returned attributes.

Select Exit debug mode to deactivate the debugging mode.

Logging – FortiAuthenticator 4.0

Leave a reply

Logging

Accounting is an important part of FortiAuthenticator. The Logging menu tree provides a record of the events that have taken place on the FortiAuthenticator unit.

Log access

To view the log events table, go to Logging > Log Access > Logs.

The following options and information are available:

Refresh	Refresh the log list.
Download Raw Log	Export the FortiAuthenticator log to your computer as a text file named fac.log.
Log Type Reference	Select to view the log type reference dialog box. See Log type reference on page 155.
Debug Report	Select to download the debug report to your computer as a file named report.dbg.
Search	Enter a search term in the search field, then select Search to search the log message list. The search string must appear in the Message portion of the log entry to result in a match. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete the number of positive matches will be displayed next to the Search button, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all the log entries, and not just the previous search’s results.
ID	The log message’s ID.
Timestamp	The time the message was received.

Log access Logging

Level	The log severity level: l Emergency: The system has become unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An erroneous condition exists, and functionality is probably affected. l Warning: Functionality could be affected. l Notification: Information about normal events. l Information: General information about system operations. l Debug: Detailed information useful for debugging purposes.
Category	The log category, which is always Event. See Log type reference on page 155.
Sub category	The log subcategory. See Log type reference on page 155.
Type id	The log type ID.
Action	The action which created the log message, if applicable.
Status	The status of the action that created the log message, if applicable.
NAS name/IP	The NAS name or IP address of the relevant device if an authentication action fails.
Short message	The log message itself, sometimes slightly shortened.
User	The user to whom the log message pertains.

To view log details:

From the log list, select the log whose details you need to view by clicking anywhere within the log’s row. The Log Details pane will open on the right side of the window.

After viewing the log details, select the close icon in the top right corner of the pane to close the details pane. Log type reference

Select Log Type Reference in the log list toolbar to open the log type reference dialog box.

The following information and options are available:

Search		Enter a search term in the search field, then select Search to search the log type reference.
Type id		The log type ID.
>Name		The name of the log type.

155

Logging Log access

Sub category	The log type subcategory, one of: Admin Configuration, Authentication, System, High Availability, UserPortal, or Web Service.
Category	The log type category, which is always Event.
Description	A brief description of the log type.

To close the Log Type Reference dialog box, select close above the top right corner of the box, or simply click anywhere outside of the box within the log list.

Log configuration Logging

Sort the log messages

The log message table can be sorted by any column. To sort the log entries by a particular column, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Select the column heading again to sort the entries in descending order. Ascending or descending is displayed with an arrow next to the column title, an up arrow for ascending and down arrow for descending.

Log configuration

Logs can be remotely backed up to an FTP server, automatically deleted, and sent to a remote syslog server in lieu of storing them locally.

Log settings

To configure log backups, automatic deletion, and remote storage, go to Logging > Log Config > Log Setting.

To configure log backups:

In the log settings window, select Enable remote backup in the Log Backup
Select the frequency of the backups in the Frequency field as either Daily, Weekly, or Monthly.
Configure the time of day that the backup will occur in one of the following ways:

l Enter a time in the Time field l Select Now to enter the current time l Select the clock icon and choose a time from the pop-up menu: Now, Midnight, 6 a.m., or Noon.

Select an FTP server from the drop-down list in the FTP server For information on configuring an FTP server, see FTP servers on page 44.
Select OK to save your settings.

To configure automatic log deletion:

In the log settings window, select Enable log auto-deletion in the Log Auto-Deletion
In the Auto-delete logs older than field, select day(s), week(s), or month(s) from the drop-down list, then enter the number of days, weeks, or months after which a log will be deleted.
Select OK to save your settings.

157

Logging Log configuration

To configure logging to a remote syslog server:

In the log settings window, select Send logs to remote Syslog servers in the Remote Syslog
Move the syslog servers to which the logs will be sent from the Available syslog servers box to the Chosen syslog servers

For information on adding syslog servers, see Syslog servers on page 158.

Select OK to save your settings.

Syslog servers

Syslog servers can be used to store remote logs. To view the syslog server list, go to Logging > Log Config > Syslog Servers.

Create New		Add a new syslog server.
Delete		Delete the selected syslog server or servers.
Edit		Edit the selected syslog server.
Name		The syslog server name on the FortiAuthenticator unit.
Server name/IP		The server name or IP address, and port number.

To add a syslog server:

From the syslog servers list, select Create New. The Create New Syslog Server window opens.
Enter the following information:

Name	Enter a name for the syslog server on the FortiAuthenticator unit.
Server name/IP	Enter the syslog server name or IP address.
Port	Enter the syslog server port number. The default port is 514.
Level	Select a log level to store on the remote server from the drop-down list. See Level on page 155.
Facility	Select a facility from the drop-down list.

Select OK to add the syslog server.

Certificate Management – FortiAuthenticator 4.0

Leave a reply

Certificate Management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority	The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator unit. The administrator can import other authorities’ CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities on page 133 for more information.
SCEP server	A SCEP client can retrieve any of the local CA certificates (Local CAs on page 140), and can have its own user certificate signed by the FortiAuthenticator unit CA.
Remote LDAP Authentication	Acting as an LDAP client, the FortiAuthenticator unit authenticates users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate, see Trusted CAs on page 147.
EAP Authentication	The FortiAuthenticator unit checks that the client’s certificate is signed by one of the configured authorized CA certificates, see Certificate authorities on page 140. The client certificate must also match one of the user certificates, see End entities on page 133.

Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging on page 154.

This chapter includes the following sections:

l Policies l End entities l Certificate authorities l SCEP

Policies

The policies section includes global configuration settings which are applied across all certificate authorities and end-entity certificates created on the FortiAuthenticator device.

Certificate expiry

Certificate expiration settings can be configured in Certificate Management > Policies > Certificate Expiry.

The following settings can be configured:

Warn when a certificate is about to expire	Enable sending a warning message to an administrator before a certificate expires.
Send a warning e-mail	Enter the number of days before the certificate expires that the email will be sent.
Administrator’s e-mail	Enter the email address to which the expiry warning message will be sent.

Select OK to apply any configuration changes.

End entities

User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User certificates, client certificates, or local computer certificates are all the same type of certificate.

To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server certificate list, go to Certificate Management > End Entities > Local Services.

The following information is available:

Create New		Create a new certificate.
Import		Select to import a certificate signed by a third-party CA for a previously generated CSR (see To import a local user certificate: on page 138 and To import a server certificate: on page 138) or to import a CSR to sign (see To import a CSR to sign: on page 138).
Revoke		Revoke the selected certificate. See To revoke a certificate: on page 139.
Delete		Delete the selected certificate.
Export Certificate		Save the selected certificate to your computer.
Export PKCS#12		Export the PKCS#12. This is only available for user certificates.
Search		Enter a search term in the search field, then press Enter to search the certificate list.
Filter		Select to filter the displayed certificates by status. The available selections are: All, Pending, Expired, Revoked, and Active.
Certificate ID		The certificate ID.
Subject		The certificate’s subject.
Issuer		The issuer of the certificate.
Status		The status of the certificate, either active, pending, or revoked.

Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign, and the certificate detail information can also be viewed, see To view certificate details: on page 140.

To create a new certificate:

To create a new user certificate, go to Certificate Management > End Entities > Users. To create a new server certificate, go to Certificate Management > End Entities > Local Services.
Select Create New to open the Create New UserCertificate or Create New ServerCertificate
Configure the following settings:

Certificate ID	Enter a unique ID for the certificate.
Certificate Signing Options
Issuer	Select the issuer of the certificate, either Local CA or Third-party CA. Selecting Third-party CA generates a CSR that is to be signed by a third-party CA.
Local User (Optional)	If Local CA is selected as the issuer, you may select a local user from the drop-down list to whom the certificate will apply.This option is only available when creating a new user certificate.
Certificate authority	If Local CA is selected as the issuer, select one of the available CAs configured on the FortiAuthenticator unit from the drop-down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.
Subject Information
Subject input method	Select the subject input method, either Fully distinguished name or Field-by-field.
Fully distinguished name	If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
Field-by-field	If the subject input method is Field-by-field, enter the subject name in the Name (CN) field, and optionally enter the following fields: l Department (OU) l Company (O) l City (L) l State/Province (ST) l Country (C) (select from drop-down list) l E-mail address
Key and Signing Options
Validity period	Select the amount of time before this certificate expires. This option is only available when Issuer is set to Local CA. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.
Key type	The key type is set to RSA.
Key size	Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm	Select the hash algorithm from the drop-down list, either SHA-1 or SHA-256.

Subject Alternative Name	Subject Alternative Names (SAN) allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard. For example, SANs are used to protect multiple domain names such as www.example.com and www.example.net, in contrast to wildcard certificates that can only protect all first-level subdomains on one domain, such as *.example.com.
Email	Enter the email address of a user to map to this certificate.
User Principal Name (UPN)	Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions	This option is only available when creating a new user certificate, and when Issuer is set to Local CA.
Add CRL Distribution Points extension	Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location. A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.
Use certificate for Smart Card logon	Select to use the certificate for smart card logon.
Advanced Options: Key Usages	Some certificates require the explicit presence of key usage attributes before the certificate can be accepted for use.
Digital Signature	a high-integrity signature that assures the recipient that a message was not altered in transit
Non Repudiation	an authentication that is deemed as genuine with high assurance
Key Encipherment	uses the public key to encrypt private or secret keys
Data Encipherment	uses the public key to encrypt data
Key Agreement	an interactive method for multiple parties to establish a cryptographic key, based on prior knowledge of a password
Certificate Sign	a message from an applicant to a certificate authority in order to apply for a digital identity certificate
CRL Sign	a Certificate Revocation List (CRL) Sign states a validity period for an issued certificate
Encipher Only	information will be converted into code only
Decipher Only	code will be converted into information only
Advanced Options: Extended Key Usages	Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.

Server Authentication	authentication will only be granted when the user submits their credentials to the server
Client Authentication	authentication will be granted to the server by exchanging a client certificate
Code Signing	used to confirm the software author, and guarantees that the code has not been altered or corrupted through use of a cryptographic hash
Secure Email	a secure email sent over SSL encryption
OCSP Signing	Online Certificate Status Protocol (OCSP) Signing sends a request to the server for certificate status information. The server will send back a response of “current”, “expired”, or “unknown”. OCSP permits a grace period to users or are expired, allowing them a limited time period to renew. This is usually used over CRL.
IPSec End System
IPSec Tunnel Termination	IPSec SAs (Security Associations) are terminated through deletion or by timing out
IPSec User
IPSec IKE Intermediate (end entity)	An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you.
Time Stamping
Microsoft Individual Code Signing	user submits information that is compared to an independent consumer database to validate their credentials
Microsoft Commercial Code Signing	user submits information that proves their identity as corporate representatives
Microsoft Trust List Signing	uses a Certificate Trust List (CTL), a list of hashes of certificates. The list is comprised of pre-authenticated items that were approved by a trusted signing entity
Microsoft/Netscape Server Gated Crypto	a defunct mechanism that stepped up 40-bit and 50-bit to 128-bit cipher suites with SSL
Microsoft Encrypted File System	the Encrypted File System (EFS) enables files to be transparently encrypted to protect confidential data
Microsoft EFS File Recovery	the certificate will be granted on the condition it has an EFS file recovery agent prepared
Smart Card Logon	the certificate will be granted on the condition that the user logs on to the network with a smart card
EAP over PPP/LAN	Extensible Authentication Protocol (EAP) will operate within either a Point-to-Point Protocol (PPP) or Local Area Network (LAN) framework
KDC Authentication	an Authentication Server (AS) forwards usernames to a key distribution center (KDC), which issues an encrypted, time stamped ticket back to the user

Select OK to create the new certificate.

To import a local user certificate:

Go to Certificate Management > End Entities > Users and select Import.
In the Import Signing Request orCertificate window, in the Type field, select Local certificate.
Select .. to locate the certificate file on your computer.
Select OK to import the certificate.

To import a server certificate:

to Certificate Management > End Entities > Local Services and select Import.
In the Import Certificate window, select .. to locate the certificate file on your computer.
Select OK to import the certificate.

To import a CSR to sign:

Go to Certificate Management > End Entities > Users and select Import.
In the Import Signing Request orCertificate window, in the Type field, select CSR to sign.
Configure the following settings:

Certificate ID	Enter a unique ID for the certificate.
CSR file (.csr, .req)	Select Browse… then locate the CSR file on your computer.
Certificate Signing Options
Certificate authority		Select one of the available CAs configured on the FortiAuthenticator from the drop- down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities on page 140.
Validity period		Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires
Hash algorithm		Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Subject Alternative Name
Email		Enter the email address of a user to map to this certificate.
User Principal Name (UPN)		Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique the Windows Server domain. This is a form of one-to-one mapping.
Other Extensions
Add CRL Distribution Points extension		Select to add CRL distribution points extension to the certificate. Note: Once a certificate is issued with this extension, the server must be able to handle the CRL request at the specified location. A DNS domain name must be configured. If it has not been, select Edit DNS name to configure one. See DNS on page 31.
Use certificate for Smart Card logon		Select to use the certificate for smart card logon. This option can only be selected concurrently with Add CRL Distribution Points extension.

Select OK to import the CSR.

To revoke a certificate:

Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local Services.
Select the certificate the will be revoked, then select Revoke. The Revoke UserCertificate or Revoke Server Certificate window opens.
Select a reason for revoking the certificate from the Reason code drop-down list. The reasons available are:

l Unspecified l Key has been compromised l CA has been compromised l Changes in affiliation l Superseded l Operation ceased l On Hold

Some of these reasons are security related (such as the key or CA being compromised), while others are more business related; a change in affiliation could be an employee leaving the company; Operation ceased could be a project that was cancelled.

Select OK to revoke the certificate.

To view certificate details:

From the certificate list, select a certificate ID to open the Certificate Detail Information window.

Select Edit next to the Certificate ID field to change the certificate ID. If any of this information is out of date or incorrect, you will not be able to use this certificate. If this is the case, delete the certificate and re-enter the information in a new certificate, see To create a new certificate: on page 134. Select Close to return to the certificate list.

Pages: 1 2 3 4

RADIUS Single Sign On – FortiAuthenticator 4.0

Leave a reply

RADIUS Single Sign-On

A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:

The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.

The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).

The accounting proxy needs to know:

l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.

General settings

General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level	Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list.
Group cache lifetime	Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Number of proxy retries	Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries.
Proxy retry timeout	Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds.
Statistics update period	Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour).

Select OK to apply your changes.

accounting proxy RADIUS

Rule sets

A rule set can contain multiple rules. Each rule can do one of:

l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.

The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:

From the rule set list, select Create New. The Create New Rule Set window opens.
Enter the following information:

Name	Enter a name to use when selecting this rule set for an accounting proxy destination.
Description	Optionally, enter a brief description of the rule’s purpose.
Rules	Enter one or more rules.

Single Sign-On RADIUS accounting proxy

Action	The action for each rule can be either Add or Modify. l Add: add either a static value or a value derived from an LDAP server. l Modify: rename an attribute.
Attribute	Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Attribute 2	If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.
Value Type	If the action is set to Add, select a value type from the drop-down list. l Static value: adds the attribute in the Attribute field containing the static value in the Value field. l Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server. l UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server.
Value	If the action is set to Add and Value Type is set to Static value, enter the static value.
Username Attribute	If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Remote LDAP	If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers.
Description	A brief description of the rule is provided.
Add another rule	Select to add another rule to the rule set.

Select OK to create the new rule set.

Example rule set

The incoming accounting packets contain the following fields:

User-Name l NAS-IP-Address l Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

accounting proxy RADIUS

User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping

The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.

To add a RADIUS accounting proxy source:

From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
Enter the following information:

Name

Enter the name of the

This is used in FortiAuthenticator configurations.

RADIUS

server.

Single Sign-On RADIUS accounting proxy

Source name/IP	Enter the FQDN or IP address of the server.
Secret	Enter the shared secret required to access the server.
Description	Optionally, enter a description of the source.

Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.

To add a RADIUS accounting proxy destinations:

From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
Enter the following information:

Name	Enter a name to identify the destination device in your configuration.
Destination name/IP	Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
Secret	Enter the preshared key of the destination.
Source	Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127.
Rule set	Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125.

Select OK to add the RADIUS accounting proxy destination.