Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.4 Administration Guide
    7.6.4
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    RSSO dynamic address subtype

    RSSO dynamic address subtype

    The RSSO dynamic address object subtype can be used in a firewall policy's source and destination fields. It allows for more granular and precise policies based on RSSO group membership, enhancing security and flexibility when managing network traffic and enforcing policies.

    When the sub-type is rsso, the sso-attribute-value must be set. The IP address of the RADIUS single sign-on user matching the group value will be loaded to the address object.

    To configure the RSSO dynamic address subtype:
    config firewall address
    edit "test-rsso-addr-1"
        set type dynamic
        set sub-type rsso
        set sso-attribute-value <name(s)>
    next
end

    Variable

    Description

    sub-type rsso

    RSSO address sub-type.

    sso-attribute-value <name(s)>

    RADIUS attributes value.
    To check the RADIUS dynamic address database information :
    # diagnose test application radiusd {6 | 66}

    Test level

    Description

    6

    Show RADIUS dynamic address database summary information.

    66

    Show RADIUS dynamic address database information.

    Example

    To configure and use an RSSO dynamic address object:

    1. Enable RADIUS account access on port 1.

      When the RADIUS server sends an RSSO message to the FortiGate on port 1, which includes an IP address, the FortiGate will add it to the RSSO dynamic address list.

      config system interface
    edit port1
        append allowaccess radius-acct
    next
end

    2. Configure the RADIUS user and user group for the RSSO address:

      config user radius
    edit "rsso_server"
        set rsso enable
        set rsso-radius-response enable
        set rsso-secret **************
        set rsso-flush-ip-session enable
    next
end
config user group
    edit "rsso_g1"
        set group-type rsso
        set sso-attribute-value "rsso_group_1"
    next
end

    3. Configure a dynamic address with RSSO subtype:

      config firewall address
    edit "test-rsso-addr-1"
        set type dynamic
        set sub-type rsso
        set sso-attribute-value "rsso_group_1"
    next
end

    4. Apply the RSSO dynamic address as a destination in the firewall policy:

      config firewall policy
    edit 44
        set name "nat44_policy"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "10-1-100-0"
        set dstaddr "test-rsso-addr-1"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

    5. Check the RSSO dynamic address. In this case, 172.16.200.155 is loaded into the RSSO dynamic address:

      # diagnose test application radiusd 6
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
  name, ip_db-total
  test-rsso-addr-1, 1
      # diagnose test application radiusd 66
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
  name:test-rsso-addr-1, ip_db total:1.
        ip,     installed
        172.16.200.155, 1.
      # diagnose firewall dynamic list test-rsso-addr-1
CMDB name: test-rsso-addr-1
test-rsso-addr-1: ID(90)
        ADDR(172.16.200.155)
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.

    6. Send a packet that hits the policy, then check the session to see that the RSSO dynamic address works as a destination in the firewall policy:

      # diagnose sys session list
session info: proto=6 proto_state=07 duration=6 expire=115 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
dst_user=dynamic_user_1 dst_authsvr=vdom1 state=log may_dirty f00
statistic(bytes/packets/allow_err): org=269/5/1 reply=715/4/1 tuples=2
tx speed(Bps/kbps): 42/0 rx speed(Bps/kbps): 112/0
orgin->sink: org pre->post, reply pre->post dev=10->9/9->10 gwy=172.16.200.155/10.1.100.42
hook=post dir=org act=snat 10.1.100.42:20042->172.16.200.155:80(172.16.200.6:20042)
hook=pre dir=reply act=dnat 172.16.200.155:80->172.16.200.6:20042(10.1.100.42:20042)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=44 pol_uuid_idx=2522 auth_info=0 chk_client_info=0 vd=1
serial=0000254c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason:  disabled-by-policy
total session: 1
    Previous
    Next

    RSSO dynamic address subtype

    RSSO dynamic address subtype

    The RSSO dynamic address object subtype can be used in a firewall policy's source and destination fields. It allows for more granular and precise policies based on RSSO group membership, enhancing security and flexibility when managing network traffic and enforcing policies.

    When the sub-type is rsso, the sso-attribute-value must be set. The IP address of the RADIUS single sign-on user matching the group value will be loaded to the address object.

    To configure the RSSO dynamic address subtype:
    config firewall address
    edit "test-rsso-addr-1"
        set type dynamic
        set sub-type rsso
        set sso-attribute-value <name(s)>
    next
end

    Variable

    Description

    sub-type rsso

    RSSO address sub-type.

    sso-attribute-value <name(s)>

    RADIUS attributes value.
    To check the RADIUS dynamic address database information :
    # diagnose test application radiusd {6 | 66}

    Test level

    Description

    6

    Show RADIUS dynamic address database summary information.

    66

    Show RADIUS dynamic address database information.

    Example

    To configure and use an RSSO dynamic address object:

    1. Enable RADIUS account access on port 1.

      When the RADIUS server sends an RSSO message to the FortiGate on port 1, which includes an IP address, the FortiGate will add it to the RSSO dynamic address list.

      config system interface
    edit port1
        append allowaccess radius-acct
    next
end

    2. Configure the RADIUS user and user group for the RSSO address:

      config user radius
    edit "rsso_server"
        set rsso enable
        set rsso-radius-response enable
        set rsso-secret **************
        set rsso-flush-ip-session enable
    next
end
config user group
    edit "rsso_g1"
        set group-type rsso
        set sso-attribute-value "rsso_group_1"
    next
end

    3. Configure a dynamic address with RSSO subtype:

      config firewall address
    edit "test-rsso-addr-1"
        set type dynamic
        set sub-type rsso
        set sso-attribute-value "rsso_group_1"
    next
end

    4. Apply the RSSO dynamic address as a destination in the firewall policy:

      config firewall policy
    edit 44
        set name "nat44_policy"
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "10-1-100-0"
        set dstaddr "test-rsso-addr-1"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

    5. Check the RSSO dynamic address. In this case, 172.16.200.155 is loaded into the RSSO dynamic address:

      # diagnose test application radiusd 6
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
  name, ip_db-total
  test-rsso-addr-1, 1
      # diagnose test application radiusd 66
dynamic addresses total[vd:root]:0.
dynamic addresses total[vd:vdom1]:1.
  name:test-rsso-addr-1, ip_db total:1.
        ip,     installed
        172.16.200.155, 1.
      # diagnose firewall dynamic list test-rsso-addr-1
CMDB name: test-rsso-addr-1
test-rsso-addr-1: ID(90)
        ADDR(172.16.200.155)
Total IP dynamic range blocks: 0.
Total IP dynamic addresses: 1.

    6. Send a packet that hits the policy, then check the session to see that the RSSO dynamic address works as a destination in the firewall policy:

      # diagnose sys session list
session info: proto=6 proto_state=07 duration=6 expire=115 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
dst_user=dynamic_user_1 dst_authsvr=vdom1 state=log may_dirty f00
statistic(bytes/packets/allow_err): org=269/5/1 reply=715/4/1 tuples=2
tx speed(Bps/kbps): 42/0 rx speed(Bps/kbps): 112/0
orgin->sink: org pre->post, reply pre->post dev=10->9/9->10 gwy=172.16.200.155/10.1.100.42
hook=post dir=org act=snat 10.1.100.42:20042->172.16.200.155:80(172.16.200.6:20042)
hook=pre dir=reply act=dnat 172.16.200.155:80->172.16.200.6:20042(10.1.100.42:20042)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=44 pol_uuid_idx=2522 auth_info=0 chk_client_info=0 vd=1
serial=0000254c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
no_ofld_reason:  disabled-by-policy
total session: 1
    Previous
    Next