Fortinet Firewall FSSO configuration

From Notes_Wiki
Revision as of 08:16, 10 May 2021 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Fortinet Firewall FSSO configuration">Fortigate firewall|Fortigate firewall</yambe:breadcrumb>

Fortinet Firewall FSSO configuration

To configure FSSO with fortinet firewall so that firewall rules can be written based on AD user who is logged in on particular system and not based on IP address, use:

  1. Log into support.fortinet.com and login with fortinet firewall support login for your orgnization
  2. Go to Download -> Firmware Images -> Fortigate -> &;t;Fortigate version folder and subfolders> -> FSSO
  3. Download "FSSO_Setup_<version>" setup file for 64-bit OS
  4. Go through installation of FSSO_Setup on AD Server (Primary Domain controller or Additional domain controller)
    1. Between easy setup and advanced choose advanced to allow use of LDAP DNs
    2. After setup "DC_Agent" installation will start automatically.
    3. In DC_Agent setup use default local IP and port (eg 8002) shown by wizard
    4. We can select domains to be monitored, Choose list of users to be exempted and list of servers where logon event should be monitored
    5. Through start menu go to "Fortinet Single Sign On Agent configuration" application
    6. Click "Run as administrator" at bottom left to run this as administrator
    7. Click on "Set Directory Access Information" and click on Advanced. Enter domain administrator credentials with which the tool can talk to domain controller
    8. Under Authentication -> "Require authenticated connection from Fortigate" enter password
      Choose simple password 8-10 characters with limited or no special characters.
  5. In fortinet firewall go to "Users & Authentication" -> "LDAP Servers". Add DC or ADC with desired name, port:389, CommonNameIdentifier:sAMAccountName, Base DN for the domain, Bind Type: Regular
  6. In fortinet firewall go to "Security Fabric" -> "Exernal Connectors". Add External connector with FSSO agent IP (IP of machine where agent was installed), Password (Simple password that was configured for FSSO agent on DC server), User group source: "Local", LDAP Server: <server-configured-in-previous-step>, Select desired users/groups to be synced as part of this external connector.



<yambe:breadcrumb self="Fortinet Firewall FSSO configuration">Fortigate firewall|Fortigate firewall</yambe:breadcrumb>