Fortinet black logo

Administration Guide

FSSO dynamic address subtype

FSSO dynamic address subtype

The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.

It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC. Up to 3000 dynamic FSSO IP addresses are supported per dynamic FSSO group.

To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
  1. Create the dynamic address object:
    1. Go to Policy & Objects > Addresses and select Address.
    2. Click Create new.
    3. For Type, select Dynamic.
    4. For Sub Type, select Fortinet Single Sign-On (FSSO).
    5. Select one or more groups.
    6. Click OK to save the configuration.

      In the address table, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

  2. Add the dynamic address object to a firewall policy:
    1. Go to Policy & Objects > Firewall Policy.
    2. Create a new policy or edit an existing policy.
    3. For Source, select Address from the dropdown list and add the dynamic FSSO address object you just created.
    4. Configure the rest of the policy as needed.
    5. Click OK to save your changes.
  3. Test the authentication to add a source IP address to the FSSO user list:
    1. Log in as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
    2. Go to Monitor > Firewall User Monitor to view the user name (fsso1) and IP address.

    3. Go to Policy & Objects > Addresses to view the updated address table. The error message no longer appears.
    4. Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).

To verify user traffic in the GUI:
  1. Go to Log & Report > Forward Traffic.

    Details for the user fsso1 are visible in the traffic log:

  • If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated. The IP address for user fsso2 (10.1.100.188) is now visible:

  • Go to FortiView > Sources to verify that the users were able to successfully pass the firewall policy.

  • Note

    If a user logs off and CPPM receives log off confirmation, then CPPS updates the FortiGate FSSO user list via FortiManager. The user IP address is deleted from the dynamic FSSO address, and the user is no longer be able to pass the firewall policy.

    To configure FSSO dynamic addresses with CPPM and FortiManager in the CLI:
    1. Create the dynamic address object:
      config firewall address
          edit "fsso"
              set type dynamic
              set sub-type fsso
              set fsso-group "cp_test_FSSOROLE"
          next
      end
    2. Add the dynamic address object to a policy:
      config firewall policy
          edit 1
              set name "pol1"
              set srcintf "port2"
              set dstintf "port3"
              set srcaddr "fsso"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
              set logtraffic all
              set fsso disable
              set nat enable
          next
      end
    To verify user traffic in the CLI:
    1. Check the FSSO user list:
      diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.1.100.185  User: fsso1  Groups: cp_test_FSSOROLE  Workstation:  MemberOf: FSSO-CPPM cp_test_FSSOROLE
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----
    2. Check the authenticated firewall users list:
      diagnose firewall auth list
      10.1.100.185, fsso1
      type: fsso, id: 0, duration: 2928, idled: 2928
      server: FortiManager
      packets: in 0 out 0, bytes: in 0 out 0
      group_id: 2 33554433
      group_name: FSSO-CPPM cp_test_FSSOROLE
      ----- 1 listed, 0 filtered ------

      After user traffic passes through the firewall, the nu

      diagnose firewall auth list
      10.1.100.185, fsso1
      type: fsso, id: 0, duration: 3802, idled: 143
      server: FortiManager
      packets: in 1629 out 1817, bytes: in 2203319 out 133312
      group_id: 2 33554433
      group_name: FSSO-CPPM cp_test_FSSOROLE
      ----- 1 listed, 0 filtered ------

    FSSO dynamic address subtype

    The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.

    It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC. Up to 3000 dynamic FSSO IP addresses are supported per dynamic FSSO group.

    To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
    1. Create the dynamic address object:
      1. Go to Policy & Objects > Addresses and select Address.
      2. Click Create new.
      3. For Type, select Dynamic.
      4. For Sub Type, select Fortinet Single Sign-On (FSSO).
      5. Select one or more groups.
      6. Click OK to save the configuration.

        In the address table, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

    2. Add the dynamic address object to a firewall policy:
      1. Go to Policy & Objects > Firewall Policy.
      2. Create a new policy or edit an existing policy.
      3. For Source, select Address from the dropdown list and add the dynamic FSSO address object you just created.
      4. Configure the rest of the policy as needed.
      5. Click OK to save your changes.
    3. Test the authentication to add a source IP address to the FSSO user list:
      1. Log in as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
      2. Go to Monitor > Firewall User Monitor to view the user name (fsso1) and IP address.

      3. Go to Policy & Objects > Addresses to view the updated address table. The error message no longer appears.
      4. Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).

    To verify user traffic in the GUI:
    1. Go to Log & Report > Forward Traffic.

      Details for the user fsso1 are visible in the traffic log:

    • If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated. The IP address for user fsso2 (10.1.100.188) is now visible:

  • Go to FortiView > Sources to verify that the users were able to successfully pass the firewall policy.

  • Note

    If a user logs off and CPPM receives log off confirmation, then CPPS updates the FortiGate FSSO user list via FortiManager. The user IP address is deleted from the dynamic FSSO address, and the user is no longer be able to pass the firewall policy.

    To configure FSSO dynamic addresses with CPPM and FortiManager in the CLI:
    1. Create the dynamic address object:
      config firewall address
          edit "fsso"
              set type dynamic
              set sub-type fsso
              set fsso-group "cp_test_FSSOROLE"
          next
      end
    2. Add the dynamic address object to a policy:
      config firewall policy
          edit 1
              set name "pol1"
              set srcintf "port2"
              set dstintf "port3"
              set srcaddr "fsso"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
              set logtraffic all
              set fsso disable
              set nat enable
          next
      end
    To verify user traffic in the CLI:
    1. Check the FSSO user list:
      diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.1.100.185  User: fsso1  Groups: cp_test_FSSOROLE  Workstation:  MemberOf: FSSO-CPPM cp_test_FSSOROLE
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----
    2. Check the authenticated firewall users list:
      diagnose firewall auth list
      10.1.100.185, fsso1
      type: fsso, id: 0, duration: 2928, idled: 2928
      server: FortiManager
      packets: in 0 out 0, bytes: in 0 out 0
      group_id: 2 33554433
      group_name: FSSO-CPPM cp_test_FSSOROLE
      ----- 1 listed, 0 filtered ------

      After user traffic passes through the firewall, the nu

      diagnose firewall auth list
      10.1.100.185, fsso1
      type: fsso, id: 0, duration: 3802, idled: 143
      server: FortiManager
      packets: in 1629 out 1817, bytes: in 2203319 out 133312
      group_id: 2 33554433
      group_name: FSSO-CPPM cp_test_FSSOROLE
      ----- 1 listed, 0 filtered ------