Increase the number of supported dynamic FSSO IP addresses
Increase the number of supported dynamic FSSO IP addresses from 100 to 3000 per dynamic FSSO group. The dynamic FSSO type addresses can be pointed to FortiManager's Universal Connector, which imports the addresses from Cisco ACI or Guardicore Centra.
For more information about the FortiManager Universal Connector, see Universal Connector MEA, Cisco ACI Fabric connectors, and Using the imported EPGs in the FortiManager documentation. |
Example
In this example, FSSO user logon events are used to populate a dynamic FSSO address object (fsso-dyn-37).
To configure the FSSO dynamic address object:
-
From the diagnostics, collect the list of FSSO dynamic addresses:
# diagnose debug authd fsso show-address FSSO Dynamic Addresses(master=1): ad-fsso-1, ref 1 ADGRP: FORTINET-FSSO/GROUP1 ADDR(LI): 10.1.100.188 fsso-dyn-1, ref 1 ADGRP: CN=FSSOB20,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM ADDR(LI): 10.0.0.2 ADDR(LI): 10.0.0.3 ADDR(LI): 10.0.0.4 ... ADDR(LI): 10.0.179.175 ADDR(LI): 10.0.179.176 ADDR(LI): 10.0.179.177 fsso-dyn-18, ref 1 ADGRP: CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM ADDR(LI): 10.0.203.34 ADDR(LI): 10.0.203.35 ADDR(LI): 10.0.203.36 ... ADDR(LI): 10.0.214.214 ADDR(LI): 10.0.214.215 ADDR(LI): 10.0.214.216 fsso-dyn-19, ref 1 ADGRP: CN=FSSOB36,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM ADDR(LI): 10.0.191.106
The range of the CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM group is 10.0.203.34 to 10.0.214.216.
-
Create the dynamic address object:
config firewall address edit "fsso-dyn-37" set type dynamic set sub-type fsso set fsso-group "CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM" next end
-
Add the dynamic address object to a firewall policy:
config firewall policy edit 3 set name "pol1" set srcintf "port10" set dstintf "port9" set action accept set srcaddr "ad-fsso-1" "fsso-dyn-37" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all set nat enable set groups "ad-fsso-grp1" next end
-
Verify the policy traffic:
# diagnose firewall iprope list 100004 policy index=3 uuid_idx=561 action=accept flag (8052129): log redir auth nat nids_raw master use_src pol_stats flag2 (6004): fsso log_fail resolve_sso flag3 (b0): !sp link-local best-route schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000003 split=00000000 host=0 chk_client_info=0x1 app_list=0 ips_view=1 misc=0 zone(1): 18 -> zone(1): 17 dest(1): 0.0.0.0-255.255.255.255, uuid_idx=542, source dynamic address (2): uuid_idx=582 fsso-dyn-37 ID(37) RANGE(10.0.203.34-10.0.214.216) uuid_idx=548 ad-fsso-1 ID(237) ADDR(10.1.100.188) user group(1): 2 service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto