Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Agentless NTLM authentication for web proxy

    Agentless NTLM authentication for web proxy

    Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

    • Multiple servers
    • Individual users

    You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

    You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

    To support multiple domain controllers for agentless NTLM using the CLI:

    1. Configure an LDAP server:

      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end

    2. Configure multiple domain controllers: 

      config user domain-controller
    edit "dc1"
        set ip-address 172.18.62.177 
        config extra-server
            edit 1
                set ip-address 172.18.62.220 
            next 
        end
        set ldap-server "ldap-kerberos" 
    next 
end

    3. Create an authentication scheme and rule: 

      config authentication scheme 
    edit "au-ntlm"
        set method ntlm
        set domain-controller "dc1"
    next 
end
      config authentication rule 
    edit "ru-ntlm"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-ntlm"
    next 
end

    4. In the proxy policy, append the user group for authorization: 

      config firewall proxy-policy     
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all" 
        set dstaddr "all" 
        set service "web" 
        set action accept 
        set schedule "always" 
        set groups "ldap-group"
        set utm-status enable 
        set av-profile "av"
        set ssl-ssh-profile "deep-custom"
    next
end

      This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

    5. Verify the behavior after the user successfully logs in: 

      # diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1   
    user name   : test1 
    duration    : 497 
    auth_type   : Session 
    auth_method : NTLM   
    pol_id      : 1   g_id        : 5   
    user_based  : 0   e
    xpire      : 103   
    LAN:
        bytes_in=2167 bytes_out=7657   
    WAN:
        bytes_in=3718 bytes_out=270
    To support individual users for agentless NTLM using the CLI:

    1. Configure an LDAP server: 

      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end

    2. Configure the user group and allow user-based matching: 

      config user group
    edit "ldap-group"
        set member "ldap" "ldap-kerberos"
        config match
            edit 1
                set server-name "ldap-kerberos"
                set group-name "test1"
            next
        end
    next
end

    3. Create an authentication scheme and rule: 

      config authentication scheme
    edit "au-ntlm"
        set method ntlm
        set domain-controller "dc1"
    next
end
      config authentication rule
    edit "ru-ntlm"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-ntlm"
    next
end

    4. In the proxy policy, append the user group for authorization:

      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set groups "ldap-group"
        set utm-status enable
        set av-profile "av"
        set ssl-ssh-profile "deep-custom"
    next
end

      This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

      To verify the configuration using the CLI: 
      diagnose wad user list
    ID: 1827, IP: 10.1.15.25, VDOM: vdom1   
    user name   : test1   
    duration    : 161   
    auth_type   : Session   
    auth_method : NTLM   
    pol_id      : 1   
    g_id        : 5   
    user_based  : 0   
    expire      : 439   
    LAN:
            bytes_in=1309 bytes_out=4410 
      WAN:
            bytes_in=2145 bytes_out=544
    Previous
    Next

    Agentless NTLM authentication for web proxy

    Agentless NTLM authentication for web proxy

    Agentless Windows NT LAN Manager (NTLM) authentication includes support for the following items:

    • Multiple servers
    • Individual users

    You can use multiple domain controller servers for the agentless NTLM. They can be used for load balancing and high service stability.

    You can also use user-based matching in groups for Kerberos and agentless NTLM. In these scenarios, FortiOS matches the user's group information from an LDAP server.

    To support multiple domain controllers for agentless NTLM using the CLI:

    1. Configure an LDAP server:

      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end

    2. Configure multiple domain controllers: 

      config user domain-controller
    edit "dc1"
        set ip-address 172.18.62.177 
        config extra-server
            edit 1
                set ip-address 172.18.62.220 
            next 
        end
        set ldap-server "ldap-kerberos" 
    next 
end

    3. Create an authentication scheme and rule: 

      config authentication scheme 
    edit "au-ntlm"
        set method ntlm
        set domain-controller "dc1"
    next 
end
      config authentication rule 
    edit "ru-ntlm"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-ntlm"
    next 
end

    4. In the proxy policy, append the user group for authorization: 

      config firewall proxy-policy     
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all" 
        set dstaddr "all" 
        set service "web" 
        set action accept 
        set schedule "always" 
        set groups "ldap-group"
        set utm-status enable 
        set av-profile "av"
        set ssl-ssh-profile "deep-custom"
    next
end

      This configuration uses a round-robin method. When the first user logs in, the FortiGate sends the authentication request to the first domain controller. Later when another user logs in, the FortiGate sends the authentication request to another domain controller.

    5. Verify the behavior after the user successfully logs in: 

      # diagnose wad user list
ID: 1825, IP: 10.1.100.71, VDOM: vdom1   
    user name   : test1 
    duration    : 497 
    auth_type   : Session 
    auth_method : NTLM   
    pol_id      : 1   g_id        : 5   
    user_based  : 0   e
    xpire      : 103   
    LAN:
        bytes_in=2167 bytes_out=7657   
    WAN:
        bytes_in=3718 bytes_out=270
    To support individual users for agentless NTLM using the CLI:

    1. Configure an LDAP server: 

      config user ldap
    edit "ldap-kerberos"
        set server "172.18.62.177"
        set cnid "cn"
        set dn "dc=fortinetqa,dc=local"
        set type regular
        set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
        set password *********
    next
end

    2. Configure the user group and allow user-based matching: 

      config user group
    edit "ldap-group"
        set member "ldap" "ldap-kerberos"
        config match
            edit 1
                set server-name "ldap-kerberos"
                set group-name "test1"
            next
        end
    next
end

    3. Create an authentication scheme and rule: 

      config authentication scheme
    edit "au-ntlm"
        set method ntlm
        set domain-controller "dc1"
    next
end
      config authentication rule
    edit "ru-ntlm"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "au-ntlm"
    next
end

    4. In the proxy policy, append the user group for authorization:

      config firewall proxy-policy
    edit 1
        set proxy explicit-web
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "web"
        set action accept
        set schedule "always"
        set groups "ldap-group"
        set utm-status enable
        set av-profile "av"
        set ssl-ssh-profile "deep-custom"
    next
end

      This implementation lets you configure a single user instead of a whole group. The FortiGate will now allow the user named test1.

      To verify the configuration using the CLI: 
      diagnose wad user list
    ID: 1827, IP: 10.1.15.25, VDOM: vdom1   
    user name   : test1   
    duration    : 161   
    auth_type   : Session   
    auth_method : NTLM   
    pol_id      : 1   
    g_id        : 5   
    user_based  : 0   
    expire      : 439   
    LAN:
            bytes_in=1309 bytes_out=4410 
      WAN:
            bytes_in=2145 bytes_out=544
    Previous
    Next