Category Archives: FortiOS

FSSO – Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose	Protocol/Port
LDAP group membership lookup (Global Catalog)	TCP/3268
LDAP domain controller discovery and group membership lookup	TCP/389
DC Agent keepalive and push logon info to CA	UDP/8002
CA keepalive and push logon info to Fortigate	TCP/8000
NTLM	TCP/8000
CA DNS	UDP/53
Workstation check, polling mode (preferred method)	TCP/445
Workstation check, polling mode (fallback method)	TCP/135, TCP/139, UDP/137
Remote access to logon events	TCP/445
Group lookup using LDAP	TCP/389
Group lookup using LDAP with global catalog	TCP/3268
Group lookup using LDAPS	TCP/636
Resolve FSSO server name	UDP/53

FSSO – Fortinet Single Sign-On

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:

Go to Fortinet SSO Methods > SSO > General.
In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
In the Fortinet Single Sign-On (FSSO) section, enter the following information:

Enable Windows event log polling (e.g. domain controllers/Exchange servers)	Select for integration with Windows Active Directory
Enable RADIUS Accounting SSO clients	Select if you want to use a Remote RADIUS server.
Enable Syslog SSO	Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent Service	Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

Select OK.

For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:

Go to User & Device > Single Sign-On and select Create New.
Set Type to Fortinet Single-Sign-On Agent, and enter a Name.
In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit or a name.
In Password, enter the same secret key defined earlier on the FortiAuthenticator (under Fortinet SSO Methods > SSO > General).

FSSO – Fortinet Single Sign-On

You may also specify Users/Groups from the dropdown menu.
Select OK.

In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:

Go to User & Device > User Groups and select Create New.
Enter a Name for the group.
Set Type to Fortinet Single Sign-On (FSSO).
Add Members. The groups available to add as members are SSO groups provided by SSO agents.
Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:

In FortiClient, go to File > Settings.
Under Advanced, select Enable Single Sign-On mobility agent.
In Server address, enter the IP address of the FortiAuthenticator.
In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
Enter the Pre-shared key.
Select OK.

For more detailed FSSO configurations, including with Windows AD, Citrix, Novell eDirectory, and more, see the Authentication guide.

CLI Syntax

The following section contains commands to control FSSO.

user/fsso

The following command will set the server address, port, and password for multiple FSSO agents.

set [password | password2 | password3 | password4 | password5] <password> end

FSSO – Fortinet Single Sign-On

user/fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling edit <name_str> set port <integer> end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiOS WAN optimization

Leave a reply

FortiOS WAN optimization

Multi-location organizations or businesses using the cloud can provide license-free WAN optimization using FortiOS.

WAN Optimization is a comprehensive solution that maximizes your WAN performance and provides intelligent bandwith management and unmatched consolidated security performance. WAN optimization reduces your network overhead and removes unneccessary traffic for a better overall performance experience. Efficient use of bandwidth and better application performance will remove the need for costly WAN link upgrades between data centers and other expensive solutions for your network traffic growth.

WAN optimization is available on FortiGate models with internal storage that also support SSL acceleration. Internal storage includes high-capacity internal hard disks, AMC hard disk modules, FortiGate Storage Modules (FSMs) or over 4 GB of internal flash storage.

WAN optimization tunnels use port 7810.

The following features below are available through WAN optimization:

Protocol optimization

Protocol optimization is effective for applications designed for the LAN that do not function well on low bandwidth, high latency networks. FortiOS protocol optimization improves the efficiency of CIFS, FTP, HTTP, MAPI, and general TCP sessions.

CIFC, for example, requires many background transactions to successfully transfer a single file. When transferring the file, CIFS sends small chunks of data and waits sequentially for each chunk’s arrival and acknowledgment before sending the next chunk. This large amount of requests and acknowledgements of traffic can delay transfers. WAN Optimization removes this complexity and improves the efficiency of transferring the file.

TCP protocol optimization uses techniques such as SACK support, window scaling and window size adjustment, and connection pooling to remove common WAN TCP bottlenecks.

FortiOS WAN optimization

Byte caching

Byte caching improves caching by accelerating the transfer of similar, but not identical content. Byte caching reduces the amount of data crossing the WAN when multiple different emails with the same or similar attachments or different versions of an attachment are downloaded from a corporate email server to different locations over the WAN.

Byte caching breaks large units of application data, such as email attachments or file downloads, into smaller chunks of data. Each chunk of data is labeled with a hash, and chunks with their respective hashes are stored in a database on the local FortiGate unit. When a remote user requests a file, WAN optimization sends the hashes, rather than the actual data. The FortiGate unit at the other end of the WAN tunnel reassembles the data from its own hash database, only downloading the chunks it is missing. Deduplication, or the process of eliminating duplicate data, will reduce space consumption.

Byte caching is not application specific, and assists by accelerating all protocols supported by WAN optimization.

Web caching

WAN optimization reduces download times of content from central files repositories through web caching. FortiOS Web caching stores remote files and web pages on local FortiGate devices for easy local access to commonly accessed files. There is little impact on the WAN, resulting in reduced latency for those requesting the files.

In addition, web caching also recognizes requests for Windows or MS Office updates, and downloads the new update file in the background. Once downloaded to the cache, the new update file is available to all users, and all subsequent requests for this update are rapidly downloaded from the cache.

FortiOS WAN optimization

Traffic shaping

Controls data flow for specific applications, giving administrators the flexibility to choose which applications take precedence over the WAN. A common use case of traffic shaping would be to prevent one protocol or application from flooding a link over other protocols deemed more important by the administrator.

SSL acceleration

SSL is used by many organizations to keep WAN communications private. WAN Optimization boosts SSL acceleration properties of FortiGate FortiASIC hardware by accelerating SSL traffic across the WAN. The FortiGate unit handles SSL encryption/decryption for corporate servers providing SSL encrypted connections over the WAN.

Explicit web proxy server

Allows users on the internal network to browse the Internet through the explicit web proxy server.

Explicit FTP proxy server

Allows users on the internal network to access FTP servers through the explicit FTP proxy server.

Reverse proxy

The web and FTP proxies can be configured to protect access to web or FTP servers that are behind the FortiGate using a reverse proxy configuration. Reverse proxies retrieve resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the proxy server.

WCCP

The Web Cache Communication Protocol (WCCP) allows you to offload web caching to redundant web caching servers. This traffic redirection helps to improve response time and optimize network resource usage.

WAN optimization and HA

You can configure WAN optimization on a FortiGate HA cluster. The recommended HA configuration for WAN optimization is active-passive mode. Also, when the cluster is operating, all WAN optimization sessions are processed by the primary unit only. Even if the cluster is operating in active-active mode, HA does not loadbalance WAN optimization sessions. HA also does not support WAN optimization session failover.

Configuring an explicit proxy with WAN optimization web caching

For this configuration, all devices on the wireless network will be required to connect to the proxy at port 8080 before they can browse the Internet. WAN Optimization web caching is added to reduce the amount of Internet bandwidth used and improve web browsing performance.

Enabling WAN Optimization and configuring the explicit web proxy for the wireless interface

Go to System > Config > Features. Ensure that Explicit Proxy and WAN Opt & Cache are enabled.
Go to System > Network > Interfaces, edit the wireless interface and select Enable Explicit Web Proxy.

FortiOS WAN optimization

Go to System > Network > Explicit Proxy. Select Enable Explicit Web Proxy for HTTP/HTTPS. Make sure that Default Firewall Policy Action is set to Deny.

Adding an explicit web proxy policy

Go to Policy & Objects > Policy > Explicit Proxy and create a new policy.
Set Explicit Proxy Type to Web and the Outgoing Interface to the Internet-facing interface.
Enable Web Cache.

Configuring devices on the wireless network to use the web proxy

To use the web proxy, all devices on the wireless network must be configured to use the explicit proxy server. The IP address of the server is the IP address of the FortiGate’s wireless interface (for example, 10.10.80.1) and the port is 8080. Some browsers may have to be configured to use the device’s proxy settings.

For Windows Vista/7/8, open Internet Properties. Go to Connections > LAN Settings and enable and configure the Proxy Server.

For Mac OS X, open Network Preferences > Wi-Fi > Advanced > Proxies. Select Web Proxy (HTTP) and configure the proxy settings.

For iOS, go to Settings > Wi-Fi. Edit the wireless network. Scroll down to HTTP PROXY, select Manual, and configure the proxy settings.

For Android, in WiFi network connection settings, edit the wireless network. Select Show advanced options, configure a Manual proxy, and enter the proxy settings.

Force HTTP and HTTPS traffic to use the Web Proxy

Block HTTP and HTTPS access to the Internet from the wireless network so that the only path to the Internet is through the explicit proxy. You can edit or delete policies that allow HTTP or HTTPS access. You can also add a policy to the top of the list that Denies HTTP and HTTPS traffic.

CSF – Cooperative Security Fabric

Leave a reply

CSF – Cooperative Security Fabric

Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – spans across an entire network linking different security sensors and tools together to collect, coordinate, and respond to malicious behavior in real time. CSF can be used to coordinate the behavior of different Fortinet products in your network, including FortiGate, FortiAnalyzer, FortiClient, FortiSandbox, FortiAP, FortiSwitch, and FortiClient Enterprise Management Server (EMS). CSF supports FortiOS 5.4.1+, FortiSwitchOS 3.3+, and FortiClient 5.4.1+.

Port TCP/8009 is the port FortiGate uses for incoming traffic from the FortiClient Portal, as user information (such as IP address, MAC address, avatar, and other profile information) is automatically synchronized to the FortiGate and EMS.

The brief example below assumes that FortiTelemetry has been enabled on the top-level FortiGate (FGT1), OSPF routing has been configured, and that policies have been created for all FortiGate units to access the

Internet.

For more details on how to configure a security fabric between FortiGate units, see Installing internal FortiGates and enabling a security fabric on the Fortinet Cookbook website.

CSF – Cooperative Security Fabric

Enabling CSF on the FortiGate:

On the upstream FortiGate (FGT1), go to System > Cooperative Security Fabric and enable Cooperative Security Fabric (CSF).
Enter a Group name and Group password for the fabric.
On a downstream FortiGate (such as FGT2 or FGT3), configure the same fabric settings as were set on FGT1.
Enable Connect to upstream FortiGate.

Be sure you do not enable this on the topmost-level FortiGate (in this example, FGT1).

In FortiGate IP, enter the FGT1 interface that has FortiTelemetry The FortiTelemetry port (set to 8013) can be changed as required.

Once set up, you can view your network’s CSF configuration under FortiView through two topology dashboards.

On top-level FortiGate, go to FortiView > Physical Topology. This dashboard shows a vizualization of all access layer devices in the fabric.
Go to FortiView > Logical Topology to view information about the interfaces (logical or physical) that each device in the fabric is connected to.

Other CSF configurations for your network are available through the Fortinet Cookbook Cooperative Security Fabric page.

3rd-Party Servers Open Ports

Leave a reply

3rd-Party Servers Open Ports

Incoming Ports Purpose		Protocol/Port
FortiAnalyzer	LDAP & PKI Authentication	TCP/389, UDP/389
	Log & Report	TCP/21, TCP/22
	Configuration Backups	TCP/22
	Alert Emails	TCP/25
	DNS	UDP/53
	NTP	UDP/123
	SNMP Traps	UDP/162
	Report Query	TCP/389
	Syslog & OFTP	TCP or UDP/514
	RADIUS	UDP/1812

3rd-Party Servers

Incoming Ports Purpose			Protocol/Port
FortiAuthenticator	SMTP, Alerts, Virus Sample		TCP/25
	DNS		UDP/52
	Windows AD		TCP/88
	NTP		UDP/123
	LDAP		TCP or UDP/389
	Domain Control		TCP/445
	LDAPS		TCP/636
	FSSO & Tiers		TCP/8002, TCP/8003
FortiManager	DNS		UDP/53
	NTP		UDP/123
	SNMP Traps		UDP/162
	Proxied HTTPS Traffic		TCP/443
	RADIUS		UDP/1812
Outgoing Ports Purpose			Protocol/Port
FortiAuthenticator		FSSO & Tiers	TCP/8002, TCP/8003
FortiGate		FSSO	TCP/8000

Examples and Troubleshooting

Leave a reply

Examples and Troubleshooting

This chapter provides an example of a FortiGate unit providing authenticated access to the Internet for both Windows network users and local users. The following topics are included in this section:

Firewall authentication example
LDAP Dial-in using member-attribute example
RADIUS SSO example
Troubleshooting

Firewall authentication example

Example configuration

Overview

In this example, there is a Windows network connected to Port 2 on the FortiGate unit and another LAN, Network_1, connected to Port 3.

All Windows network users authenticate when they logon to their network. Members of the Engineering and Sales groups can access the Internet without entering their authentication credentials again. The example assumes that the Fortinet Single Sign On (FSSO) has already been installed and configured on the domain controller.

LAN users who belong to the Internet_users group can access the Internet after entering their username and password to authenticate. This example shows only two users, User1 is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an external authentication server. Both of these users are referred to as local users because the user account is created on the FortiGate unit.

Creating a locally-authenticated user account

User1 is authenticated by a password stored on the FortiGate unit. It is very simple to create this type of account.

To create a local user – web-based manager:

Go to User & Device > User Definition and select Create New.
Follow the User Creation Wizard, entering the following information and then select Create:

User Type	Local User
User Name	User1
Password	hardtoguess
Email Address SMS	(optional)
Enable	Select.

To create a local user – CLI:

config user local edit user1 set type password set passwd hardtoguess

end

Creating a RADIUS-authenticated user account

To authenticate users using an external authentication server, you must first configure the FortiGate unit to access the server.

To configure the remote authentication server – web-based manager:

Go to User & Device > RADIUS Servers and select Create New.
Enter the following information and select OK:

Name	OurRADIUSsrv
Primary Server Name/IP	10.11.101.15
Primary Server Secret	OurSecret
Authentication Scheme	Select Use Default Authentication Scheme.

To configure the remote authentication server – CLI:

config user radius edit OurRADIUSsrv set server 10.11.102.15 set secret OurSecret set auth-type auto

Firewall authentication example

end

Creation of the user account is similar to the locally-authenticated account, except that you specify the RADIUS authentication server instead of the user’s password.

To configure a remote user – web-based manager:

Go to User & Device > User Definition and select Create New.
Follow the User Creation Wizard, entering the following information and then select Create:

User Type	Remote RADIUS User
User Name	User2
RADIUS server	OurRADIUSsrv
Email Address SMS	(optional)
Enable	Select

To configure a remote user – CLI:

config user local edit User2 set name User2 set type radius

set radius-server OurRADIUSsrv

end

Creating user groups

There are two user groups: an FSSO user group for FSSO users and a firewall user group for other users. It is not possible to combine these two types of users in the same user group.

Creating the FSSO user group

For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to

configure LDAP access to the Windows AD global catalog l specify the collector agent that sends user logon information to the FortiGate unit l select Windows user groups to monitor
select and add the Engineering and Sales groups to an FSSO user group

To configure LDAP for FSSO – web-based manager:

Go to User & Device > LDAP Servers and select Create New.
Enter the following information:

Name	ADserver
Server Name / IP		10.11.101.160
Distinguished Name		dc=office,dc=example,dc=com
Bind Type		Regular
User DN		cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com
Password		set_a_secure_password

Leave other fields at their default values.
Select OK.

To configure LDAP for FSSO – CLI”

config user ldap edit “ADserver” set server “10.11.101.160”

set dn “cn=users,dc=office,dc=example,dc=com”

set type regular

set username “cn=administrator,cn=users,dc=office,dc=example,dc=com” set password set_a_secure_password

end

To specify the collector agent for FSSO – web-based manager

Go to User & Device > Single Sign-On and select Create New.
Enter the following information:

Type	Fortinet Single Sign-On Agent
Name	WinGroups
Primary Agent IP/Name	10.11.101.160
Password	fortinet_canada
LDAP Server	ADserver

Select Apply & Refresh.

In a few minutes, the FortiGate unit downloads the list of user groups from the server.

To specify the collector agent for FSSO – CLI:

config user fsso edit “WinGroups” set ldap-server “ADserver” set password ENC

G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA

1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj set server “10.11.101.160” end

Firewall authentication example

To create the FSSO_Internet-users user group – web-based manager:

Go to User & Device > User Groups and select Create New.
Enter the following information and then select OK:

Name	FSSO_Internet_users
Type	Fortinet Single Sign-On (FSSO)
Members	Engineering, Sales

To create the FSSO_Internet-users user group – CLI:

config user group edit FSSO_Internet_users set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com end

Creating the Firewall user group

The non-FSSO users need a user group too. In this example, only two users are shown, but additional members can be added easily.

To create the firewall user group – web-based manager:

Go to User & Device > User Groups and select Create New.
Enter the following information and then select OK:

Name	Internet_users
Type	Firewall
Members	User1, User2

To create the firewall user group – CLI:

config user group edit Internet_users set group-type firewall set member User1 User2

end

Defining policy addresses

Go to Policy & Objects > Addresses.
Create the following addresses:

Address Name	Internal_net
Type		Subnet
Subnet / IP Range		10.11.102.0/24
Interface		Port 3
Address Name		Windows_net
Type		Subnet
Subnet / IP Range		10.11.101.0/24
Interface		Port 2

Creating security policies

Two security policies are needed: one for firewall group who connect through port3 and one for FSSO group who connect through port2.

To create a security policy for FSSO authentication – web-based manager:

Go to Policy & Objects > IPv4 Policy and select Create New.
Enter the following information:

Incoming Interface	Port2
Source Address	Windows_net
Source User(s)	FSSO_Internet_users
Outgoing Interface	Port1
Destination Address	all
Schedule	always
Service	ALL
NAT	ON
Security Profiles	Optionally, enable security profiles.

Select OK.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr Windows_net set dstaddr all

LDAP Dial-in using member-attribute example

set action accept set groups FSSO_Internet_users set schedule always set service ANY set nat enable

end

To create a security policy for local user authentication – web-based manager

Go to Policy & Objects > IPv4 Policy and select Create New.
Enter the following information:

Incoming Interface	Port3
Source Address	Internal_net
Source User(s)	Internet_users
Outgoing Interface	Port1
Destination Address	all
Schedule	always
Service	ALL
NAT	ON
Security Profiles	Optionally, enable security profiles.

Select OK.

To create a security policy for local user authentication – CLI

config firewall policy edit 0 set srcintf port3 set dstintf port1 set srcaddr internal_net set dstaddr all set action accept set schedule always set groups Internet_users set service ANY set nat enable

end

Pages: 1 2 3 4

Monitoring authenticated users

Leave a reply

Monitoring authenticated users

This section describes how to view lists of currently logged-in firewall and VPN users. It also describes how to disconnect users.

The following topics are included in this section:

Monitoring firewall users
Monitoring SSL VPN users
Monitoring IPsec VPN users
Monitoring users Quarantine

Monitoring firewall users

To monitor firewall users, go to Monitor > Firewall User Monitor.

You can de-authenticate a user by selecting the Delete icon for that entry.

You can filter the list of displayed users by selecting the funnel icon for one of the column titles or selecting Filter Settings.

Optionally, you can de-authenticate multiple users by selecting them and then selecting De-authenticate.

Pages: 1 2 3

SSO using RADIUS accounting records

Leave a reply

SSO using RADIUS accounting records

A FortiGate unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate UTM profiles. RADIUS SSO is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial set-up, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiGate unit.

This section describes:

User’s view of RADIUS SSO authentication l Configuration Overview l Configuring the RADIUS server l Creating the FortiGate RADIUS SSO agent l Defining local user groups for RADIUS SSO l Creating security policies
Example: webfiltering for student and teacher accounts

User’s view of RADIUS SSO authentication

For the user, RADIUS SSO authentication is simple:

The user connects to the RADIUS server and authenticates.
The user attempts to connect to a network resource that is reached through a FortiGate unit. Authentication is required for access, but the user connects to the destination without being asked for logon credentials because the FortiGate unit knows that the user is already authenticated. FortiOS applies UTM features appropriate to the user groups that the user belongs to.

Configuration Overview

The general steps to implement RADIUS Single Sign-On are:

If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
Create the FortiGate RADIUS SSO agent.
Define local user groups that map to RADIUS groups.
Create a security policy which specifies the user groups that are permitted access.

Configuring the RADIUS server

You can configure FortiGate RSSO to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the FortiOS unit. User group names do not need to be added for all users, only to the accounts of users who will use RSSO feature on the FortiGate unit.
Configure your accounting system to send RADIUS Start records to the FortiOS unit. You can send the RADIUS Start records to any FortiGate network interface. If your FortiGate unit is operating with virtual domains (VDOMs) enabled, the RADIUS Start records must be sent to a network interface in the management VDOM.

IPv6 RADIUS Support

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

Syntax

Allow IPv6 access on an interface:

config system interface edit <name> config ipv6 set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

end

Configure the IPv6 RADIUS server:

config user radius edit <name> set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> …

end

Pages: 1 2 3 4

Agent-based FSSO

1 Reply

Agent-based FSSO

FortiOS can provide single sign-on capabilities to Windows AD, Citrix, Novell eDirectory, or, as of FortiOS 5.4, Microsoft Exchange users with the help of agent software installed on these networks. The agent software sends information about user logons to the FortiGate unit. With user information such as IP address and user group memberships from the network, FortiGate security policies can allow authenticated network access to users who belong to the appropriate user groups without requesting their credentials again.

For Windows AD networks, FortiGate units can provide SSO capability without agent software by directly polling the Windows AD domain controllers. For information about this type of SSO, seeSingle Sign-On to Windows AD on page 133.

The following topics are included:

Introduction to agent-based FSSO
FSSO NTLM authentication support
Agent installation
Configuring the FSSO Collector agent for Windows AD
Configuring the FSSO TS agent for Citrix
Configuring FSSO with Novell networks
Configuring FSSO Advanced Settings
Configuring FSSO on FortiGate units
FortiOS FSSO log messages
Testing FSSO
Troubleshooting FSSO

Introduction to agent-based FSSO

Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. When a user logs on at a workstation in a monitored domain, FSSO

l detects the logon event and records the workstation name, domain, and user, l resolves the workstation name to an IP address, l determines which user groups the user belongs to, l sends the user logon information, including IP address and groups list, to the FortiGate unit l creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

FSSO can also provide NTLM authentication service for requests coming from FortiGate. SSO is very convenient for users, but may not be supported across all platforms. NTLM is not as convenient, but it enjoys wider support. See FSSO NTLM authentication support on page 148.

Introduction to FSSO agents

There are several different FSSO agents that can be used in an FSSO implementation:

Domain Controller (DC) agent
eDirectory agent
Citrix/Terminal Server (TS) agent
Collector (CA) agent

Consult the latest FortiOS and FSSO Release Notes for operating system compatibility information.

Domain Controller (DC) agent

The Domain Controller (DC) agent must be installed on every domain controller if you will use DC Agent mode, but is not required if you use Polling mode. See FSSO for Windows AD on page 144.

eDirectory agent

The eDirectory agent is installed on a Novell network to monitor user logons and send the required information to the FortiGate unit. It functions much like the Collector agent on a Windows AD domain controller.The agent can obtain information from the Novell eDirectory using either the Novell API or LDAP.

Citrix/Terminal Server (TS) agent

The Citrix/Terminal Server (TS) agent is installed on a Citrix terminal server to monitor user logons in real time. It functions much like the DC Agent on a Windows AD domain controller.

Collector (CA) agent

This agent is installed as a service on a server in the Windows AD network to monitor user logons and send the required information to the FortiGate unit. The Collector agent can collect information from

Domain Controller agent (Windows AD)
TS agent (Citrix Terminal Server)

In a Windows AD network, the Collector agent can optionally obtain logon information by polling the AD domain controllers. In this case, DC agents are not needed.

The Collector can obtain user group information from the DC agent or optionally, a FortiGate unit can obtain group information directly from AD using Lightweight Directory Access Protocol (LDAP).

On a Windows AD network, the FSSO software can also serve NT LAN Manager (NTLM) requests coming from client browsers (forwarded by the FortiGate unit) with only one or more Collector agents installed. See FSSO NTLM authentication support on page 148.

The CA is responsible for DNS lookups, group verification, workstation checks, and as mentioned FortiGate updates of logon records. The FSSO Collector Agent sends Domain Local Security Group and Global Security Group information to FortiGate units. The CA communicates with the FortiGate over TCP port 8000 and it listens on UDP port 8002 for updates from the DC agents.

The FortiGate unit can have up to five CAs configured for redundancy. If the first on the list is unreachable, the next is attempted, and so on down the list until one is contacted. See Configuring FSSO on FortiGate units on page 175.

All DC agents must point to the correct Collector agent port number and IP address on domains with multiple DCs.

A FortiAuthenticator unit can act much like a Collector agent, collecting Windows AD user logon information and sending it to the FortiGate unit. It is particularly useful in large installations with several FortiGate units. For more information, see the FortiAuthenticator Administration Guide.

FSSO for Microsoft Exchange Server

As of FortiOS 5.4, FSSO supports monitoring Microsoft Exchange Server. This is useful for situations when the user accesses the domain account to view their email, even when the client device might not be in the domain.

Support for the Exchange server is configured on the Back-end FSSO collector agent. For more information on the collector agent, see Collector agent installation:

On the FSSO collector agent, go to Advanced Settings > Exchange Server.
Select Add and enter the following information and select OK:

Domain Name	Enter your domain name.
Server IP/Hostname	Enter the IP address or the hostname of your exchange server.
Polling forwarded event log	This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server. If you enable this, instead of the IP of the Exchange server configured in the previous step, you must then configure the IP of this member server. CA will then contact the member server.
Ignore Name	Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ESEventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to. To do so, enter the domain name in the Ignore Name field and select Add.

FSSO for Windows AD

FSSO for Windows AD requires at least one Collector agent. Domain Controller agents may also be required depending on the Collector agent working mode. There are two working modes to monitor user logon activity: DC Agent mode or Polling mode.

Collector agent DC Agent mode versus Polling mode

	DC Agent mode	Polling Mode
Installation	Complex — Multiple installations: one agent per DC plus Collector agent, requires a reboot	Easy — Only Collector agent installation, no reboot required
Resources	Shares resources with DC system	Has own resources
Network load	Each DC agent requires minimum 64kpbs bandwidth, adding to network load	Increase polling period during busy period to reduce network load
Level of Confidence	Captures all logons	Potential to miss a login if polling period is too great

DC Agent mode

DC Agent mode is the standard mode for FSSO. In DC Agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and pass the information to the Collector agent, which stores the information and sends it to the FortiGate unit.

The DC agent installed on the domain controllers is not a service like the Collector agent — it is a DLL file called dcagent.dll and is installed in the Windows\system32 directory. It must be installed on all domain controllers of the domains that are being monitored.

FSSO in DC agent mode

DC Agent mode provides reliable user logon information, however you must install a DC agent on every domain controller. A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use the DC Agent mode.

Each domain controller connection needs a minimum guaranteed 64kpbs bandwidth to ensure proper FSSO functionality. You can optionally configure traffic shapers on the FortiGate unit to ensure this minimum bandwidth is guaranteed for the domain controller connections.

Introduction to agent-based

Polling mode

In Polling mode there are three options — NetAPI polling, Event log polling, and Event log using WMI. All share the advantages of being transparent and agentless.

NetAPI polling is used to retrieve server logon sessions. This includes the logon event information for the Controller agent. NetAPI runs faster than Event log polling but it may miss some user logon events under heavy system load. It requires a query round trip time of less than 10 seconds.

Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication. It does not have the 10 second limit on NetAPI polling. Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging into Windows AD.

Event log using WMI polling: WMI is a Windows API to get system information from a Windows server, CA is a WMI client and sends WMI queries for user logon events to DC, which in this case is a WMI server. Main advantage in this mode is that CA does not need to search security event logs on DC for user logon events, instead, DC returns all requested logon events via WMI. This also reduces network load between CA and DC.

In Polling mode, the Collector agent polls port 445 of each domain controller for user logon information every few seconds and forwards it to the FortiGate unit. There are no DC Agents installed, so the Collector agent polls the domain controllers directly.

FSSO in Polling mode

A major benefit of Polling mode is that no FSSO DC Agents are required. If it is not possible to install FSSO DC Agents on your domain controllers, this is the alternate configuration available to you. Polling mode results in a less complex install, and reduces ongoing maintenance. The minimum permissions required in Polling mode are to read the event log or call NetAPI.

Collector agent AD Access mode – Standard versus Advanced

The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to username information.

Standard mode uses regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

If there is no special requirement to use LDAP— best practices suggest you set up FSSO in Standard mode. This mode is easier to set up, and is usually easier to maintain and troubleshoot.

Standard and advanced modes have the same level of functionality with the following exceptions:

Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiGate unit. Fortinet strongly encourages users to create filters from CA.
Advanced mode supports nested or inherited groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.

FSSO for Citrix

Citrix users can enjoy a similar Single Sign-On experience as Windows AD users. The FSSO TS agent installed on each Citrix server provides user logon information to the FSSO Collector agent on the network. The FortiGate unit uses this information to authenticate the user in security policies.

Citrix SSO topology

Citrix users do not have unique IP addresses. When a Citrix user logs on, the TS agent assigns that user a range of ports. By default each user has a range of 200 ports.

FSSO for Novell eDirectory

FSSO in a Novell eDirectory environment works similar to the FSSO Polling mode in the Windows AD environment. The eDirectory agent polls the eDirectory servers for user logon information and forwards the information to the FortiGate unit. There is no need for the Collector agent.

When a user logs on at a workstation, FSSO:

detects the logon event by polling the eDirectory server and records the IP address and user ID, l looks up in the eDirectory which groups this user belongs to,

FSSO NTLM authentication support

sends the IP address and user groups information to the FortiGate unit.

FSSO is supported on the Novell E-Directory 8.8 operating system.

For a Novell network, there is only one FSSO component to install — the eDirectory agent. In some cases, you also need to install the Novell Client.

FSSO security issues

When the different components of FSSO are communicating there are some inherent security features.

FSSO installation requires an account with network admin privileges. The security inherent in these types of accounts helps ensure access to FSSO configurations is not tampered with.

User passwords are never sent between FSSO components. The information that is sent is information to identify a user including the username, group or groups, and IP address.

NTLM uses base-64 encoded packets, and uses a unique randomly generated challenge nonce to avoid sending user information and password between the client and the server.

Pages: 1 2 3 4 5 6 7 8 9 10 11