Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.2 Administration Guide
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Domain name in XFF with ICAP

Domain name in XFF with ICAP

The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in WinNT://DOMAIN/Username format and forwards it to the ICAP server.

Basic ICAP configuration

The ICAP server and profile are configured on the FortiGate. The ICAP profile's header settings uses the WinNT://$domain/$user variable for the user information provided by the remote authentication server.

To configure the ICAP settings:

  1. Configure the ICAP server:

    config icap server
    edit "content-filtration-server4"
        set ip-address 10.1.100.41
        set max-connections 200
    next
end

  2. Configure the ICAP profile:

    config icap profile
    edit "Prop-Content-Filtration"
        set request enable
        set response enable
        set streaming-content-bypass enable
        set request-server "content-filtration-server4"
        set response-server "content-filtration-server4"
        set request-path "/proprietary_code/content-filter/"
        set response-path "/proprietary_code/content-filter/"
        set methods delete get head options post put trace other
        config icap-headers
            edit 1
                set name "X-Authenticated-User"
                set content "WinNT://$domain/$user"
            next
        end
    next
end

  3. Configure the firewall policy:

    config firewall policy
    edit 4
        set name "icap_filter3"
        set srcintf "port10"
        set dstintf "port9"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set icap-profile "Prop-Content-Filtration"
        set logtraffic all
        set nat enable
        set groups "ldap group" "AD-group"
    next
end

LDAP example

In this example, an AD LDAP server and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name) from the UserPrincipalName attribute. A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the LDAP authentication:

  1. Configure the LDAP server:

    config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********   
    next
end

  2. Configure the LDAP user group:

    config user group
    edit "ldap group"
        set member "AD-ldap"
        config match
            edit 1
                set server-name "AD-ldap"
                set group-name "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            next
            edit 2
                set server-name "AD-ldap"
                set group-name "CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            next
        end
    next
end

  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The Fortinet-fsso.com domain appears in the ICAP REQMOD message.

  5. Optionally, run the following command to verify WAD debugs:

    # diagnose wad debug enable category icap

FSSO example

In this example, a local FSSO agent and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name). A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the FSSO authentication:

  1. Configure the FSSO agent:

    config user fsso
    edit "AD-fsso"
        set server "10.1.100.199"
        set password **********
    next
end

  2. Configure the FSSO user group:

    config user group
    edit "AD-group"
        set group-type fsso-service
        set member "FORTINET-FSSO/GROUP1" "FORTINET-FSSO/GROUP2"
    next
end

  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The fsso2022.com domain appears in the ICAP REQMOD message.

  5. Optionally, verify the FSSO log file and search for the get_dns_domain lines:

    ... 
06/20/2023 14:58:58 [ 1484] FortiGate connection accepted, auth OK.
06/20/2023 14:58:58 [ 1484] FortiGate:FG4H1E5819900343-root connected on socket (2004).
06/20/2023 14:58:58 [ 1484] send AUTH, len:26
06/20/2023 14:58:58 [ 1484] ready to read from socket
06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 26
06/20/2023 14:58:58 [ 1484] process AD_INFO
06/20/2023 14:58:58 [ 1484] group filter received from FortiGate: len:26
06/20/2023 14:58:58 [ 1484] packet seq:2
06/20/2023 14:58:58 [ 1484] ad info flag:1
06/20/2023 14:58:58 [ 1484] FGT sends empty group list
06/20/2023 14:58:58 [ 1484] ready to read from socket
06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 36
06/20/2023 14:58:58 [ 1484] packet seq:3
06/20/2023 14:58:58 [ 1484] option:00000001 ref point:00000000
06/20/2023 14:58:58 [ 1484] toFGT set to:1
06/20/2023 14:58:58 [ 1484] get_dns_domain_name:177 enable_dns_domain_name:1, netbios_domain_name:FSSO2022
06/20/2023 14:58:58 [ 1484] get_dns_domain_name:185 dns_domain_name:FSSO2022.com
06/20/2023 14:58:58 [ 1484] send LOGON_INFO, len:187
06/20/2023 14:58:58 [ 1484] send_to_FGT() called:sock:2004 sendbuf:198f4498 sendlen:187
Previous
Next

Domain name in XFF with ICAP

The FortiGate can forward additional domain-related information to the ICAP server. Once domain information is gathered from an external authentication server (such as LDAP or an FSSO collector agent), FortiOS incorporates this domain information in WinNT://DOMAIN/Username format and forwards it to the ICAP server.

Basic ICAP configuration

The ICAP server and profile are configured on the FortiGate. The ICAP profile's header settings uses the WinNT://$domain/$user variable for the user information provided by the remote authentication server.

To configure the ICAP settings:

  1. Configure the ICAP server:

    config icap server
    edit "content-filtration-server4"
        set ip-address 10.1.100.41
        set max-connections 200
    next
end

  2. Configure the ICAP profile:

    config icap profile
    edit "Prop-Content-Filtration"
        set request enable
        set response enable
        set streaming-content-bypass enable
        set request-server "content-filtration-server4"
        set response-server "content-filtration-server4"
        set request-path "/proprietary_code/content-filter/"
        set response-path "/proprietary_code/content-filter/"
        set methods delete get head options post put trace other
        config icap-headers
            edit 1
                set name "X-Authenticated-User"
                set content "WinNT://$domain/$user"
            next
        end
    next
end

  3. Configure the firewall policy:

    config firewall policy
    edit 4
        set name "icap_filter3"
        set srcintf "port10"
        set dstintf "port9"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "deep-inspection"
        set icap-profile "Prop-Content-Filtration"
        set logtraffic all
        set nat enable
        set groups "ldap group" "AD-group"
    next
end

LDAP example

In this example, an AD LDAP server and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name) from the UserPrincipalName attribute. A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the LDAP authentication:

  1. Configure the LDAP server:

    config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password **********   
    next
end

  2. Configure the LDAP user group:

    config user group
    edit "ldap group"
        set member "AD-ldap"
        config match
            edit 1
                set server-name "AD-ldap"
                set group-name "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            next
            edit 2
                set server-name "AD-ldap"
                set group-name "CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            next
        end
    next
end

  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The Fortinet-fsso.com domain appears in the ICAP REQMOD message.

  5. Optionally, run the following command to verify WAD debugs:

    # diagnose wad debug enable category icap

FSSO example

In this example, a local FSSO agent and remote user group are configured. When successful user authentication occurs, FortiOS retrieves all the user information (such as the domain name). A packet capture is used to compare the user and domain information before and after authentication in the ICAP REQMOD message.

To configure the FSSO authentication:

  1. Configure the FSSO agent:

    config user fsso
    edit "AD-fsso"
        set server "10.1.100.199"
        set password **********
    next
end

  2. Configure the FSSO user group:

    config user group
    edit "AD-group"
        set group-type fsso-service
        set member "FORTINET-FSSO/GROUP1" "FORTINET-FSSO/GROUP2"
    next
end

  3. Start local traffic dump between the FortiGate and ICAP server before a user authenticates and save it in a PCAP file.

  4. Verify the PCAP file. The fsso2022.com domain appears in the ICAP REQMOD message.

  5. Optionally, verify the FSSO log file and search for the get_dns_domain lines:

    ... 
06/20/2023 14:58:58 [ 1484] FortiGate connection accepted, auth OK.
06/20/2023 14:58:58 [ 1484] FortiGate:FG4H1E5819900343-root connected on socket (2004).
06/20/2023 14:58:58 [ 1484] send AUTH, len:26
06/20/2023 14:58:58 [ 1484] ready to read from socket
06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 26
06/20/2023 14:58:58 [ 1484] process AD_INFO
06/20/2023 14:58:58 [ 1484] group filter received from FortiGate: len:26
06/20/2023 14:58:58 [ 1484] packet seq:2
06/20/2023 14:58:58 [ 1484] ad info flag:1
06/20/2023 14:58:58 [ 1484] FGT sends empty group list
06/20/2023 14:58:58 [ 1484] ready to read from socket
06/20/2023 14:58:58 [ 1484] Bytes received from FortiGate: 36
06/20/2023 14:58:58 [ 1484] packet seq:3
06/20/2023 14:58:58 [ 1484] option:00000001 ref point:00000000
06/20/2023 14:58:58 [ 1484] toFGT set to:1
06/20/2023 14:58:58 [ 1484] get_dns_domain_name:177 enable_dns_domain_name:1, netbios_domain_name:FSSO2022
06/20/2023 14:58:58 [ 1484] get_dns_domain_name:185 dns_domain_name:FSSO2022.com
06/20/2023 14:58:58 [ 1484] send LOGON_INFO, len:187
06/20/2023 14:58:58 [ 1484] send_to_FGT() called:sock:2004 sendbuf:198f4498 sendlen:187
Previous
Next