FSSO polling connector agent installation
This topic gives an example of configuring a local FSSO agent on the FortiGate. The agent actively pools Windows Security Event log entries on Windows Domain Controller (DC) for user log in information. The FSSO user groups can then be used in a firewall policy.
This method does not require any additional software components, and all the configuration can be done on the FortiGate.
To configure a local FSSO agent on the FortiGate:
- Configure an LDAP server on the FortiGate
- Configure a local FSSO polling connector
- Add the FSSO groups to a policy
Configure an LDAP server on the FortiGate
Refer to Configuring an LDAP server. The connection must be successful before configuring the FSSO polling connector.
Configure a local FSSO polling connector
To configure a local FSSO polling connector:
- Go to Security Fabric > External Connectors and click Create New.
- In the Endpoint/Identity section, select Poll Active Directory Server.
- Fill in the required information.
- For LDAP Server, select the server you just created.
-
Configure the group settings:
- For Users/Groups, click Edit. The structure of the LDAP tree is shown in the Users/Groups window.
- Click the Groups tab.
- Select the required groups, right-click on them, and select Add Selected. Multiple groups can be selected at one time by holding the CTRL or SHIFT keys. The groups list can be filtered or searched to limit the number of groups that are displayed.
- Click the Selected tab and verify that the required groups are listed. To remove a group, right-click and select Remove Selected.
- Click OK to save the group settings.
-
Click OK to save the connector settings.
- Go back to Security Fabric > External Connectors.
- There should be two new connectors:
- The Local FSSO Agent is the backend process that is automatically created when the first FSSO polling connector is created.
- The Active Directory Connector is the front end connector that can be configured by FortiGate administrators.
To verify the configuration, hover the cursor over the top right corner of the connector; a popup window will show the currently selected groups. A successful connection is also shown by a green up arrow in the lower right corner of the connector.
If you need to get log in information from multiple DCs, then you must configure other Active Directory connectors for each additional DC to be monitored.
Add the FSSO groups to a policy
FSSO groups can be used in a policy by either adding them to the policy directly, or by adding them to a local user group and then adding the group to a policy.
To add the FSSO groups to a local user group:
- Go to User & Authentication > User Groups and click Create New.
- Enter a name for the group in the Name field.
- Set the Type to Fortinet Single Sign-On (FSSO).
- In the Members field, click the + and add the FSSO groups.
- Click OK.
- Add the local FSSO group to a policy.
To add the FSSO groups directly to a firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- In the Source field, click the +. In the Select Entries pane, select the User tab.
- Select the FSSO groups.
- Configure the remaining settings as required.
- Click OK.
Troubleshooting
If an authenticated AD user cannot access the internet or pass the firewall policy, verify the local FSSO user list:
# diagnose debug authd fsso list ----FSSO logons---- IP: 10.1.100.188 User: test2 Groups: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM Workstation: MemberOf: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM Total number of logons listed: 1, filtered: 0 ----end of FSSO logons----
- Check that the group in MemberOf is allowed by the policy.
- If the expected AD user is not in list, but other users are, it means that either:
- The FortiGate missed the log in event, which can happen if many users log in at the same time, or
- The user's workstation is unable to connect to the DC, and is currently logged in with cached credentials, so there is no entry in the DC security event log.
- If there are no users in the local FSSO user list:
- Ensure that the local FSSO agent is working correctly:
# diagnose debug enable # diagnose debug authd fsso server-status Server Name Connection Status Version Address ----------- ----------------- ------- ------- FGT_A (vdom1) # Local FSSO Agent connected FSAE server 1.1 127.0.0.1
- Verify the Active Directory connection status:
# diagnose debug fsso-polling detail 1 AD Server Status (connected): ID=1, name(10.1.100.131),ip=10.1.100.131,source(security),users(0) port=auto username=Administrator read log eof=1, latest logon timestamp: Fri Jul 26 10:36:20 2019 polling frequency: every 10 second(s) success(274), fail(0) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 LDAP status: connected Group Filter: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=com+CN=group21,OU=Testing,DC=Fortinet-FSSO,DC=COM
If the polling frequency shows successes and failures, that indicates sporadic network problems or a very busy DC. If it indicates no successes or failures, then incorrect credentials could be the issue.
If the LDAP status is connected, then the FortiGate can access the configured LDAP server. This is required for AD group membership lookup of authenticated users because the Windows Security Event log does not include group membership information. The FortiGate sends an LDAP search for group membership of authenticated users to the configure LDAP server.
FortiGate adds authenticated users to the local FSSO user list only if the group membership is one of the groups in
Group Filter
.
The connection status must be
connected
. - Ensure that the local FSSO agent is working correctly:
- If necessary, capture the output of the local FortiGate daemon that polls Windows Security Event logs:
# diagnose debug application fssod -1
This output contains a lot of detailed information which can be captured to a text file.
Limitations
- NTLM based authentication is not supported.
- If there are a large number of user log ins at the same time, the FSSO daemon may miss some. Consider using FSSO agent mode if this will be an issue. See Public and private SDN connectors for information.
- The FSSO daemon does not support all of the security log events that are supported by other FSSO scenarios. For example, only Kerberos log in events 4768 and 4769 are supported.