Fortinet white logo
Fortinet white logo

Administration Guide

Creating Cisco pxGrid connectors

Creating Cisco pxGrid connectors

Cisco pxGrid for FortiManager centralizes the updates from pxGrid for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

You can create multiple Cisco pxGrid connectors per ADOM.

Requirements:

  • FortiManager version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.

  • The managed FortiGate unit is configured to work with Cisco pxGrid.

  • The Cisco ISE server is configured, and the certificate is downloaded.

Note

When the pxGrid connector is created, FortiManager will only process events with state "Started" or "Disconnected". All other Session Statuses possible on ISE, such as "Authenticated", are ignored by FortiManager.

Additionally, a Security Group must be defined. See steps below. Users with null a Security Group are ignored by FortiManager.

To configure Cisco ISE server:
  1. Create a Security Group: Go to ISE > Work Centers > TrustSec > Components > Security Groups. Click Add.

  2. Create a User Identity Group: Go to ISE > Administration > Identity Management > Groups > User Identity Groups. Click Add.

  3. Create a user and add it to User Identity Group: Go to ISE > Administration > Identity Management > Identities. Click Add.

  4. Match the Security Group with User Identity Group in the policy: Go to ISE > Work Centers >TrustSec > Components > Policy Sets. Right-click and go to Authorization policy > Basic_Authenticatied _Access and click Edit to match the Security Group with the User Identity Group.

  5. Generate the pxGrid certificate and download it to the local computer: Go to ISE > Administration > pxGrid Services > Certificate and select Generate pxGrid Certificates.

  6. See log for current users: Go to ISE > Operations > RADIUS > Live Logs.

  7. See live sessions of current users: Go to ISE > Operations > RADIUS > Live Sessions.

To configure FortiManager:
  1. Go to System Settings > Certificates, and click Create New/Import > Certificate. Import the downloaded certificate.

  2. Go to Fabric View > External Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.

  3. Under Endpoint/Identity, select User pxGrid.

  4. Configure the following options, and click OK to create the User pxGrid connector:

    Name

    Type a name for the fabric connector object.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

    Server

    Type the IP address for Cisco ISE server.

    CA Certificate

    Select the imported CA Certificate.

    Client Certificate

    Select the imported Client Certificate.

    Note

    You must approve the pending FortiManager in Cisco ISE by going to Administrator > pxGrid Services > Clients and selecting and approving the FortiManager.

    You can enable Automatically Approve New Accounts in Administrator > pxGrid Services > Settings to automatically approve new certificate-based accounts but you must manually approve any existing FortiManager devices that are pending approval before the feature can be enabled.

    For more information about client approval, see the Cisco ISE documentation.

  5. Go to Policy & Objects > Security Fabric > Endpoint/Identity.

  6. Ensure the Status of the connector is enabled, then select the connector and click Import. The pxGrid connector is imported.

  7. Click Close to close the import dialog.

  8. Go to Policy & Objects > User & Authentication > User Groups and create a new group. Set the type as FSSO/Cisco TrustSec, and select pxGrid user as a member.

  9. Create a policy with the ISEgroup user group and install the policy to FortiGate.

  10. Go to Fabric View > External Connectors. Click Monitor to see the users currently logged in.

  11. Log on to FortiGate to view the ISE user group.

  12. On the FortiGate command line, use the diagnose debug authd fsso list to monitor the current user list.

CLI for FortiManager and FortiGate
Command line interface for FortiManager:

config system connector

set

fsso-refresh-interval FSSO refresh interval (60 - 1800 seconds).

fsso-sess-timeout FSSO session timeout (30 - 600 seconds).

px-refresh-interval pxGrid refresh interval (60 - 1800 seconds).

px-svr-timeout pxGrid server timeout (30 - 600 seconds).

Realtime monitor debug to watch server connection:

diag debug application connector 255

Show retrieved Active Directory group:

diag system print connector (adom name) (user group name)

Command line interface for FortiGate:

diag debug authd fsso server-status

diag debug authd fsso list-------> show connected users

----FSSO logons----

IP: 192.168.1.19 User: test2 Groups: px_fc1_security_grp1 Workstation: MemberOf: fscs1

IP: 192.168.1.20 User: test2 Groups: px_fc1_security_grp1 Workstation: MemberOf: fscs1

Total number of logons listed: 2, filtered: 0

----end of FSSO logons----

diag debug authd fsso refresh-logon

diag debug authd fsso refresh-group

Related Videos

sidebar video

The Fortinet Fabric and Cisco Pxgrid as an Identity Source

  • 928 views
  • 3 years ago

Creating Cisco pxGrid connectors

Creating Cisco pxGrid connectors

Cisco pxGrid for FortiManager centralizes the updates from pxGrid for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

You can create multiple Cisco pxGrid connectors per ADOM.

Requirements:

  • FortiManager version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.

  • The managed FortiGate unit is configured to work with Cisco pxGrid.

  • The Cisco ISE server is configured, and the certificate is downloaded.

Note

When the pxGrid connector is created, FortiManager will only process events with state "Started" or "Disconnected". All other Session Statuses possible on ISE, such as "Authenticated", are ignored by FortiManager.

Additionally, a Security Group must be defined. See steps below. Users with null a Security Group are ignored by FortiManager.

To configure Cisco ISE server:
  1. Create a Security Group: Go to ISE > Work Centers > TrustSec > Components > Security Groups. Click Add.

  2. Create a User Identity Group: Go to ISE > Administration > Identity Management > Groups > User Identity Groups. Click Add.

  3. Create a user and add it to User Identity Group: Go to ISE > Administration > Identity Management > Identities. Click Add.

  4. Match the Security Group with User Identity Group in the policy: Go to ISE > Work Centers >TrustSec > Components > Policy Sets. Right-click and go to Authorization policy > Basic_Authenticatied _Access and click Edit to match the Security Group with the User Identity Group.

  5. Generate the pxGrid certificate and download it to the local computer: Go to ISE > Administration > pxGrid Services > Certificate and select Generate pxGrid Certificates.

  6. See log for current users: Go to ISE > Operations > RADIUS > Live Logs.

  7. See live sessions of current users: Go to ISE > Operations > RADIUS > Live Sessions.

To configure FortiManager:
  1. Go to System Settings > Certificates, and click Create New/Import > Certificate. Import the downloaded certificate.

  2. Go to Fabric View > External Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.

  3. Under Endpoint/Identity, select User pxGrid.

  4. Configure the following options, and click OK to create the User pxGrid connector:

    Name

    Type a name for the fabric connector object.

    Status

    Toggle On to enable the fabric connector object. Toggle OFF to disable the fabric connector object.

    Server

    Type the IP address for Cisco ISE server.

    CA Certificate

    Select the imported CA Certificate.

    Client Certificate

    Select the imported Client Certificate.

    Note

    You must approve the pending FortiManager in Cisco ISE by going to Administrator > pxGrid Services > Clients and selecting and approving the FortiManager.

    You can enable Automatically Approve New Accounts in Administrator > pxGrid Services > Settings to automatically approve new certificate-based accounts but you must manually approve any existing FortiManager devices that are pending approval before the feature can be enabled.

    For more information about client approval, see the Cisco ISE documentation.

  5. Go to Policy & Objects > Security Fabric > Endpoint/Identity.

  6. Ensure the Status of the connector is enabled, then select the connector and click Import. The pxGrid connector is imported.

  7. Click Close to close the import dialog.

  8. Go to Policy & Objects > User & Authentication > User Groups and create a new group. Set the type as FSSO/Cisco TrustSec, and select pxGrid user as a member.

  9. Create a policy with the ISEgroup user group and install the policy to FortiGate.

  10. Go to Fabric View > External Connectors. Click Monitor to see the users currently logged in.

  11. Log on to FortiGate to view the ISE user group.

  12. On the FortiGate command line, use the diagnose debug authd fsso list to monitor the current user list.

CLI for FortiManager and FortiGate
Command line interface for FortiManager:

config system connector

set

fsso-refresh-interval FSSO refresh interval (60 - 1800 seconds).

fsso-sess-timeout FSSO session timeout (30 - 600 seconds).

px-refresh-interval pxGrid refresh interval (60 - 1800 seconds).

px-svr-timeout pxGrid server timeout (30 - 600 seconds).

Realtime monitor debug to watch server connection:

diag debug application connector 255

Show retrieved Active Directory group:

diag system print connector (adom name) (user group name)

Command line interface for FortiGate:

diag debug authd fsso server-status

diag debug authd fsso list-------> show connected users

----FSSO logons----

IP: 192.168.1.19 User: test2 Groups: px_fc1_security_grp1 Workstation: MemberOf: fscs1

IP: 192.168.1.20 User: test2 Groups: px_fc1_security_grp1 Workstation: MemberOf: fscs1

Total number of logons listed: 2, filtered: 0

----end of FSSO logons----

diag debug authd fsso refresh-logon

diag debug authd fsso refresh-group