FSSO dynamic address subtype

The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.

It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC.

To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
  1. Create the dynamic address object:
    1. Go to Policy & Objects > Addresses, and click Create New > Address.
    2. For Type, select Dynamic.
    3. For Sub Type, select Fortinet Single Sign-On (FSSO). The Select Entries pane opens and displays all available FSSO groups.
    4. Select one or more groups.
    5. Click OK to save the configuration.

      In the address table, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

  2. Add the dynamic address object to a firewall policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Create a new policy or edit an existing policy.
    3. For Source, add the dynamic FSSO address object you just created.
    4. Configure the rest of the pol