Fortinet black logo

Cookbook

Cisco pxGrid fabric connector

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:269358
Download PDF

Cisco pxGrid fabric connector

You can create an endpoint connector to Cisco pxGrid by using FortiManager. FortiManager dynamically collects updates from pxGrid and forwards them to FortiGate by using the Fortinet Single Sign On (FSSO) protocol.

To create a Cisco pxGrid fabric connector:
  1. On FortiManager, create an SSO Connector to Cisco ISE.

    Communication between FortiManager and Cisco ISE is secured by using TLS. FortiManager requires a client certificate issued by Cisco ISE. FortiManager uses the certificate to authenticate to Cisco ISE.

  2. On FortiManager, map Cisco ISE groups to a Fortinet FSSO group.

    Once a secured communication channel is established, Cisco sends all user groups to FortiManager.

    The FortiManager administrator can select specific groups and map them to Fortinet FSSO groups.

  3. On FortiManager, add Fortinet FSSO group to a firewall policy in a policy package.

  4. On FortiManager, synchronize the policy package to the firewall for the managed FortiGate.

  5. On FortiGate, verify that the synced firewall policy contains the correct FSSO group and that all FSSO-related information in user adgrp is correct.

  6. After successful user authentication on Cisco ISE, verify that information is forwarded to FortiManager.

    On FortiManager, the icon next to the authenticated user in pxGrid Monitor should be green.

    FortiGate should have two entries: one in the firewall-authenticated user list and one in the FSSO logged-on user list.

    In the FSSO logged-on user list, you can view both groups. You view the group that the user belongs to on Cisco ISE and the Fortinet FSSO group.

Cisco pxGrid fabric connector

You can create an endpoint connector to Cisco pxGrid by using FortiManager. FortiManager dynamically collects updates from pxGrid and forwards them to FortiGate by using the Fortinet Single Sign On (FSSO) protocol.

To create a Cisco pxGrid fabric connector:
  1. On FortiManager, create an SSO Connector to Cisco ISE.

    Communication between FortiManager and Cisco ISE is secured by using TLS. FortiManager requires a client certificate issued by Cisco ISE. FortiManager uses the certificate to authenticate to Cisco ISE.

  2. On FortiManager, map Cisco ISE groups to a Fortinet FSSO group.

    Once a secured communication channel is established, Cisco sends all user groups to FortiManager.

    The FortiManager administrator can select specific groups and map them to Fortinet FSSO groups.

  3. On FortiManager, add Fortinet FSSO group to a firewall policy in a policy package.

  4. On FortiManager, synchronize the policy package to the firewall for the managed FortiGate.

  5. On FortiGate, verify that the synced firewall policy contains the correct FSSO group and that all FSSO-related information in user adgrp is correct.

  6. After successful user authentication on Cisco ISE, verify that information is forwarded to FortiManager.

    On FortiManager, the icon next to the authenticated user in pxGrid Monitor should be green.

    FortiGate should have two entries: one in the firewall-authenticated user list and one in the FSSO logged-on user list.

    In the FSSO logged-on user list, you can view both groups. You view the group that the user belongs to on Cisco ISE and the Fortinet FSSO group.