Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Managing Guest Access

1 Reply

Managing Guest Access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

 

Users view of guest access

1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.

2. The user logs onto the network with the provided credentials.

3. After the expiry time, the credentials are no longer valid.

 

Administrators view of guest access

1. Create one or more guest user groups.

All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.

2. Create guest accounts using Guest Management.

3. Use captive portal authentication and select the appropriate guest group.

 

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

 

Creating guest management administrators

To create a guest management administrator

1. Go to System > Admin > Administrators and create a regular administrator account.

For detailed information see the System Administration chapter.

2. Select Restrict to Provision Guest Accounts.

3. In Guest Groups, add the guest groups that this administrator manages.

 

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

 

To create a guest user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter the following information:

Name                                           Enter a name for the group.

Type                                            Guest


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5

Viewing, editing and deleting user groups

Leave a reply

Viewing, editing and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User > User Groups.

 

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

 

To edit a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to edit.

3. Select the Edit button.

4. Modify the user group as needed.

5. Select OK.

 

 

To edit a user group – CLI example:

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1

set group-type firewall

set member user2 user4 user3 end

 

 

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

 

To remove a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to remove.

3. Select the Delete button.

4. Select OK.

 

 

To remove a user group – CLI example:

config user group delete Group2

end

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring Peer user groups

Leave a reply

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

 

To create a peer group – CLI example:

config user peergrp edit vpn_peergrp1

set member pki_user1 pki_user2 pki_user3 end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SSO user groups

Leave a reply

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 589. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 553.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting FSSO

Leave a reply

Troubleshooting FSSO

When installing, configuring, and working with FSSO some problems are quite common. A selection of these problems follows including explanations and solutions.

Some common Windows AD problems include:

  • General troubleshooting tips for FSSO
  • Users on a particular computer (IP address) can not access the network
  • Guest users do not have access to network

 

General troubleshooting tips for FSSO

The following tips are useful in many FSSO troubleshooting situations.

  • Ensure all firewalls are allowing the FSSO required ports through.

FSSO has a number of required ports that must be allowed through all firewalls or connections will fail. These include: ports 139, 389 (LDAP), 445, 636 (LDAP).

  • Ensure there is at least 64kbps bandwidth between the FortiGate unit and domain controllers. If there is insufficient bandwidth, some FSSO information might not reach the FortiGate unit. The best solution is to configure traffic shaping between the FortiGate unit and the domain controllers to ensure that the minimum bandwidth is always available.

 

Users on a particular computer (IP address) can not access the network

Windows AD Domain Controller agent gets the username and workstation where the logon attempt is coming from. If there are two computers with the same IP address and the same user trying to logon, it is possible for the authentication system to become confused and believe that the user on computer_1 is actually trying to access computer_2.

Windows AD does not track when a user logs out. It is possible that a user logs out on one computer, and immediate logs onto a second computer while the system still believes the user is logged on the original computer. While this is allowed, information that is intended for the session on one computer may mistakenly end up going to the other computer instead. The result would look similar to a hijacked session.

 

Solutions

  • Ensure each computer has separate IP addresses.
  • Encourage users to logout on one machine before logging onto another machine.
  • If multiple users have the same username, change the usernames to be unique.
  • Shorten timeout timer to flush inactive sessions after a shorter time.

 

Guest users do not have access to network

A group of guest users was created, but they don’t have access.

 

Solution

The group of the guest users was not included in a policy, so they do not fall under the guest account. To give them access, associate their group with a security policy.

Additionally, there is a default group called SSO_Guest_Users. Ensure that group is part of an identity-based security policy to allow traffic.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Fortinet GPC 2017 In Vegas!

Leave a reply

Had lunch with some Fortinet big wigs last week and I completely forgot to relay this little tid bit of information that some of you may not have known. Fortinet GPC (Global Partner Conference 2017) is going to be in Las Vegas. Pretty damn stoked as I have never been before and I plan on having a blast. I missed GPC 2016 due to the birth of my daughter. I made a lot of excellent memories on the cruise ship for GPC 2015 though. I look forward to seeing some of my friends from the boat in Vegas in 6 months!!!!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Testing FSSO

Leave a reply

Testing FSSO

Once FSSO is configured, you can easily test to ensure your configuration is working as expected. For additional FSSO testing, see Troubleshooting FSSO on page 551.

1. Logon to one of the stations on the FSSO domain, and access an Internet resource.

2. Connect to the CLI of the FortiGate unit, and if possible log the output.

3. Enter the following command:diagnose debug authd fsso list

4. Check the output. If FSSO is functioning properly you will see something similar to the following:

—-FSSO logons—-

IP: 192.168.1.230 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS IP: 192.168.1.240 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS Total number of users logged on: 2

—-end of FSSO logons—-

The exact information will vary based on your installation.

 

5. Check the FortiGate event log, for FSSO-auth action or other FSSO related events with FSSO information in the message field.

6. To check server connectivity, run the following commands from the CLI:

FGT# diagnose debug enable

FGT# diagnose debug authd fsso server-status

FGT# Server Name Connection Status

———– —————– SBS-2003 connected


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS FSSO log messages

Leave a reply

FortiOS FSSO log messages

There are two types of FortiOS log messages — firewall and event. FSSO related log messages are generated from authentication events. These include user logon and log off events, and NTLM authentication events. These log messages are central to network accounting policies, and can also be useful in troubleshooting issues. For more information on firewall logging, see Enabling security logging on page 507. For more information on logging, see the FortiOS Handbook Logging and Reporting guide.

 

Enabling authentication event logging

For the FortiGate unit to log events, that specific type of event must be enabled under logging.

When VDOMs are enabled certain options may not be available, such as CPU and memory usage events. You can enable event logs only when you are logged on to a VDOM; you cannot enable event logs globally.

To ensure you log all the events needed, set the minimum log level to Notification or Information. Firewall logging requires Notification as a minimum. The closer to Debug level, the more information will be logged.

To enable event logging:

1. Go to Log&Report > Log Config > Log Settings.

2. In Event Logging, select

System activity event              All system-related events, such as ping server failure and gateway status.

User Activity event                   All administration events, such as user logins, resets, and configuration updates.

3. Select Apply.

List of FSSO related log messages

 

Message ID                      Severity                            Description
43008                                 Notification                         Authentication was successful
43009                                 Notification                         Authentication session failed
43010                                 Warning                              Authentication locked out
43011                                 Notification                         Authentication timed out
43012                                 Notification                         FSSO authentication was successful

 

Message ID                      Severity                            Description
43013                                 Notification                         FSSO authentication failed
43014                                 Notification                         FSSO user logged on
43015                                 Notification                         FSSO user logged off
43016                                 Notification                         NTLM authentication was successful
43017                                 Notification                         NTLM authentication failed

 

For more information on logging, see the FortiOS Handbook Logging and Reporting guide.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!