Category Archives: FortiOS

Managing Guest Access

Visitors to your premises might need user accounts on your network for the duration of their stay. If you are hosting a large event such as a conference, you might need to create many such temporary accounts. The FortiOS Guest Management feature is designed for this purpose.

A guest user account User ID can be the user’s email address, a randomly generated string, or an ID that the administrator assigns. Similarly, the password can be administrator-assigned or randomly generated.

You can create many guest accounts at once using randomly-generated User IDs and passwords. This reduces administrator workload for large events.

User’s view of guest access

1. The user receives an email, SMS message, or printout from a FortiOS administrator listing a User ID and password.

2. The user logs onto the network with the provided credentials.

3. After the expiry time, the credentials are no longer valid.

Administrator’s view of guest access

1. Create one or more guest user groups.

All members of the group have the same characteristics: type of User ID, type of password, information fields used, type and time of expiry.

2. Create guest accounts using Guest Management.

3. Use captive portal authentication and select the appropriate guest group.

Configuring guest user access

To set up guest user access, you need to create at least one guest user group and add guest user accounts. Optionally, you can create a guest management administrator whose only function is the creation of guest accounts in specific guest user groups. Otherwise, any administrator can do guest management.

Creating guest management administrators

To create a guest management administrator

1. Go to System > Admin > Administrators and create a regular administrator account.

For detailed information see the System Administration chapter.

2. Select Restrict to Provision Guest Accounts.

3. In Guest Groups, add the guest groups that this administrator manages.

Creating guest user groups

The guest group configuration determines the fields that are provided when you create a guest user account.

To create a guest user group:

1. Go to User & Device > User > User Groups and select Create New.

2. Enter the following information:

Name Enter a name for the group.

Type Guest

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5

Viewing, editing and deleting user groups

Leave a reply

Viewing, editing and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User > User Groups.

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

To edit a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to edit.

3. Select the Edit button.

4. Modify the user group as needed.

5. Select OK.

To edit a user group – CLI example:

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1

set group-type firewall

set member user2 user4 user3 end

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

To remove a user group – web-based manager:

1. Go to User & Device > User > User Groups.

2. Select the user group that you want to remove.

3. Select the Delete button.

4. Select OK.

To remove a user group – CLI example:

config user group delete Group2

end

Configuring Peer user groups

Leave a reply

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

To create a peer group – CLI example:

config user peergrp edit vpn_peergrp1

set member pki_user1 pki_user2 pki_user3 end

SSO user groups

Leave a reply

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 589. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 553.

Troubleshooting FSSO

Leave a reply

Troubleshooting FSSO

When installing, configuring, and working with FSSO some problems are quite common. A selection of these problems follows including explanations and solutions.

Some common Windows AD problems include:

General troubleshooting tips for FSSO
Users on a particular computer (IP address) can not access the network
Guest users do not have access to network

General troubleshooting tips for FSSO

The following tips are useful in many FSSO troubleshooting situations.

Ensure all firewalls are allowing the FSSO required ports through.

FSSO has a number of required ports that must be allowed through all firewalls or connections will fail. These include: ports 139, 389 (LDAP), 445, 636 (LDAP).

Ensure there is at least 64kbps bandwidth between the FortiGate unit and domain controllers. If there is insufficient bandwidth, some FSSO information might not reach the FortiGate unit. The best solution is to configure traffic shaping between the FortiGate unit and the domain controllers to ensure that the minimum bandwidth is always available.

Users on a particular computer (IP address) can not access the network

Windows AD Domain Controller agent gets the username and workstation where the logon attempt is coming from. If there are two computers with the same IP address and the same user trying to logon, it is possible for the authentication system to become confused and believe that the user on computer_1 is actually trying to access computer_2.

Windows AD does not track when a user logs out. It is possible that a user logs out on one computer, and immediate logs onto a second computer while the system still believes the user is logged on the original computer. While this is allowed, information that is intended for the session on one computer may mistakenly end up going to the other computer instead. The result would look similar to a hijacked session.

Solutions

Ensure each computer has separate IP addresses.
Encourage users to logout on one machine before logging onto another machine.
If multiple users have the same username, change the usernames to be unique.
Shorten timeout timer to flush inactive sessions after a shorter time.

Guest users do not have access to network

A group of guest users was created, but they don’t have access.

Solution

The group of the guest users was not included in a policy, so they do not fall under the guest account. To give them access, associate their group with a security policy.

Additionally, there is a default group called SSO_Guest_Users. Ensure that group is part of an identity-based security policy to allow traffic.

Testing FSSO

Leave a reply

Testing FSSO

Once FSSO is configured, you can easily test to ensure your configuration is working as expected. For additional FSSO testing, see Troubleshooting FSSO on page 551.

1. Logon to one of the stations on the FSSO domain, and access an Internet resource.

2. Connect to the CLI of the FortiGate unit, and if possible log the output.

3. Enter the following command:diagnose debug authd fsso list

4. Check the output. If FSSO is functioning properly you will see something similar to the following:

—-FSSO logons—-

IP: 192.168.1.230 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS IP: 192.168.1.240 User: ADMINISTRATOR Groups: VLAD-AD/DOMAIN USERS Total number of users logged on: 2

—-end of FSSO logons—-

The exact information will vary based on your installation.

5. Check the FortiGate event log, for FSSO-auth action or other FSSO related events with FSSO information in the message field.

6. To check server connectivity, run the following commands from the CLI:

FGT# diagnose debug enable

FGT# diagnose debug authd fsso server-status

FGT# Server Name Connection Status

———– —————– SBS-2003 connected

FortiOS FSSO log messages

Leave a reply

FortiOS FSSO log messages

There are two types of FortiOS log messages — firewall and event. FSSO related log messages are generated from authentication events. These include user logon and log off events, and NTLM authentication events. These log messages are central to network accounting policies, and can also be useful in troubleshooting issues. For more information on firewall logging, see Enabling security logging on page 507. For more information on logging, see the FortiOS Handbook Logging and Reporting guide.

Enabling authentication event logging

For the FortiGate unit to log events, that specific type of event must be enabled under logging.

When VDOMs are enabled certain options may not be available, such as CPU and memory usage events. You can enable event logs only when you are logged on to a VDOM; you cannot enable event logs globally.

To ensure you log all the events needed, set the minimum log level to Notification or Information. Firewall logging requires Notification as a minimum. The closer to Debug level, the more information will be logged.

To enable event logging:

1. Go to Log&Report > Log Config > Log Settings.

2. In Event Logging, select

System activity event All system-related events, such as ping server failure and gateway status.

User Activity event All administration events, such as user logins, resets, and configuration updates.

3. Select Apply.

List of FSSO related log messages

Message ID Severity Description

43008 Notification Authentication was successful

43009 Notification Authentication session failed

43010 Warning Authentication locked out

43011 Notification Authentication timed out

43012 Notification FSSO authentication was successful

Message ID Severity Description

43013 Notification FSSO authentication failed

43014 Notification FSSO user logged on

43015 Notification FSSO user logged off

43016 Notification NTLM authentication was successful

43017 Notification NTLM authentication failed

For more information on logging, see the FortiOS Handbook Logging and Reporting guide.

Creating security policies

Leave a reply

Creating security policies

Policies that require FSSO authentication are very similar to other security policies. Using identity-based policies, you can configure access that depends on the FSSO user group. This allows each FSSO user group to have its own level of access to its own group of services

In this situation, Example.com is a company that has its employees and authentication servers on an internal network. The FortiGate unit intercepts all traffic leaving the internal network and requires FSSO authentication to access network resources on the Internet. The following procedure configures the security policy for FSSO authentication. FSSO is installed and configured including the RADIUS server, FSSO Collector agent, and user groups on the FortiGate

For the following procedure, the internal interface is port1 and the external interface connected to the Internet is port2. There is an address group for the internal network called company_network. The FSSO user group is called fsso_group, and the FSSO RADIUS server is fsso_rad_server.

To configure an FSSO authentication security policy – web-based manager:

1. Go to Policy & Objects > Policy > IP4 and select Create New.

2. Enter the following information.

Incoming Interface port1

Source Address company_network

Source User(s) fsso_group

Outgoing Interface port2

Destination Address all

Schedule always

Service HTTP, HTTPS, FTP, and Telnet

Action ACCEPT

NAT ON

UTM Security Profiles ON for AntiVirus, IPS, Web Filter, and Email Filter, all using default pro- files.

Log Allowed Traffic ON. Select Security Events.

3. Select OK.

4. Ensure the FSSO authentication policy is higher in the policy list than more general policies for the same interfaces.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0

set srcintf port1 set dstintf port2

set srcaddr company_network set dstaddr all

set action accept

set groups fsso_group set schedule always

set service HTTP HTTPS FTP TELNET

set nat enable end

Here is an example of how this FSSO authentication policy is used. Example.com employee on the internal company network logs on to the internal network using their RADIUS username and password. When that user attempts to access the Internet, which requires FSSO authentication, the FortiGate authentication security policy intercepts the session, checks with the FSSO Collector agent to verify the user’s identity and credentials, and then if everything is verified the user is allowed access to the Internet.

Enabling guest access through FSSO security policies

You can enable guest users to access FSSO security policies. Guests are users who are unknown to Windows AD and servers that do not logon to a Windows AD domain.

To enable guest access in your FSSO security policy, add an identity-based policy assigned to the built-in user group SSO_Guest_Users. Specify the services, schedule and UTM profiles that apply to guest users — typically guests have access to a reduced set of services. See Creating security policies on page 548.