Increase the number of supported dynamic FSSO IP addresses

Increase the number of supported dynamic FSSO IP addresses from 100 to 3000 per dynamic FSSO group. The dynamic FSSO type addresses can be pointed to FortiManager's Universal Connector, which imports the addresses from Cisco ACI or Guardicore Centra.

For more information about the FortiManager Universal Connector, see Universal Connector MEA, Cisco ACI Fabric connectors, and Using the imported EPGs in the FortiManager documentation.

Example

In this example, FSSO user logon events are used to populate a dynamic FSSO address object (fsso-dyn-37).

To configure the FSSO dynamic address object:

From the diagnostics, collect the list of FSSO dynamic addresses:

# diagnose debug authd fsso show-address 

FSSO Dynamic Addresses(master=1):
ad-fsso-1, ref 1
ADGRP: FORTINET-FSSO/GROUP1
ADDR(LI): 10.1.100.188
fsso-dyn-1, ref 1
ADGRP: CN=FSSOB20,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.0.2
ADDR(LI): 10.0.0.3
ADDR(LI): 10.0.0.4
...
ADDR(LI): 10.0.179.175
ADDR(LI): 10.0.179.176
ADDR(LI): 10.0.179.177
fsso-dyn-18, ref 1
ADGRP: CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.203.34
ADDR(LI): 10.0.203.35
ADDR(LI): 10.0.203.36
...
ADDR(LI): 10.0.214.214
ADDR(LI): 10.0.214.215
ADDR(LI): 10.0.214.216
fsso-dyn-19, ref 1
ADGRP: CN=FSSOB36,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.191.106

The range of the CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM group is 10.0.203.34 to 10.0.214.216.

Create the dynamic address object:

config firewall address
    edit "fsso-dyn-37"
        set type dynamic
        set sub-type fsso
        set fsso-group "CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM"
    next
end

Add the dynamic address object to a firewall policy:

config firewall policy
    edit 3
        set name "pol1"
        set srcintf "port10"
        set dstintf "port9"
        set action accept
        set srcaddr "ad-fsso-1" "fsso-dyn-37"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set logtraffic all
        set nat enable
        set groups "ad-fsso-grp1"
    next
end

Verify the policy traffic:

# diagnose firewall iprope list 100004
policy index=3 uuid_idx=561 action=accept
flag (8052129): log redir auth nat nids_raw master use_src pol_stats
flag2 (6004): fsso log_fail resolve_sso
flag3 (b0): !sp link-local best-route
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000003 split=00000000
host=0 chk_client_info=0x1 app_list=0 ips_view=1
misc=0
zone(1): 18 -> zone(1): 17
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=542,
source dynamic address (2):  uuid_idx=582
        fsso-dyn-37 ID(37)               
        RANGE(10.0.203.34-10.0.214.216)
 uuid_idx=548
        ad-fsso-1 ID(237)              
        ADDR(10.1.100.188)   

user group(1): 2
service(1):
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

Increase the number of supported dynamic FSSO IP addresses

For more information about the FortiManager Universal Connector, see Universal Connector MEA, Cisco ACI Fabric connectors, and Using the imported EPGs in the FortiManager documentation.

Example

In this example, FSSO user logon events are used to populate a dynamic FSSO address object (fsso-dyn-37).

To configure the FSSO dynamic address object:

From the diagnostics, collect the list of FSSO dynamic addresses:

# diagnose debug authd fsso show-address 

FSSO Dynamic Addresses(master=1):
ad-fsso-1, ref 1
ADGRP: FORTINET-FSSO/GROUP1
ADDR(LI): 10.1.100.188
fsso-dyn-1, ref 1
ADGRP: CN=FSSOB20,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.0.2
ADDR(LI): 10.0.0.3
ADDR(LI): 10.0.0.4
...
ADDR(LI): 10.0.179.175
ADDR(LI): 10.0.179.176
ADDR(LI): 10.0.179.177
fsso-dyn-18, ref 1
ADGRP: CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.203.34
ADDR(LI): 10.0.203.35
ADDR(LI): 10.0.203.36
...
ADDR(LI): 10.0.214.214
ADDR(LI): 10.0.214.215
ADDR(LI): 10.0.214.216
fsso-dyn-19, ref 1
ADGRP: CN=FSSOB36,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM
ADDR(LI): 10.0.191.106

The range of the CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM group is 10.0.203.34 to 10.0.214.216.

Create the dynamic address object:

config firewall address
    edit "fsso-dyn-37"
        set type dynamic
        set sub-type fsso
        set fsso-group "CN=FSSOB37,OU=FSSO-BULK,DC=FORTINET-FSSO,DC=COM"
    next
end

Add the dynamic address object to a firewall policy:

config firewall policy
    edit 3
        set name "pol1"
        set srcintf "port10"
        set dstintf "port9"
        set action accept
        set srcaddr "ad-fsso-1" "fsso-dyn-37"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "default"
        set logtraffic all
        set nat enable
        set groups "ad-fsso-grp1"
    next
end

Verify the policy traffic:

# diagnose firewall iprope list 100004
policy index=3 uuid_idx=561 action=accept
flag (8052129): log redir auth nat nids_raw master use_src pol_stats
flag2 (6004): fsso log_fail resolve_sso
flag3 (b0): !sp link-local best-route
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000003 split=00000000
host=0 chk_client_info=0x1 app_list=0 ips_view=1
misc=0
zone(1): 18 -> zone(1): 17
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=542,
source dynamic address (2):  uuid_idx=582
        fsso-dyn-37 ID(37)               
        RANGE(10.0.203.34-10.0.214.216)
 uuid_idx=548
        ad-fsso-1 ID(237)              
        ADDR(10.1.100.188)   

user group(1): 2
service(1):
        [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

New Features

Increase the number of supported dynamic FSSO IP addresses

Increase the number of supported dynamic FSSO IP addresses

Example

To configure the FSSO dynamic address object:

Increase the number of supported dynamic FSSO IP addresses

Example

To configure the FSSO dynamic address object: