Menu

Navigation

How does FSSO work in FortiGate?

Posted on by Arif Clayton

How does FSSO work in FortiGate?

FSSO, through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. FSSO can also pass the information to FortiManager, which then passes it to a managed FortiGate.

What is FSSO on FortiGate?

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. Users can authenticate through a web portal and a set of embeddable widgets.

How do I create a FSSO group?

To create a user group for FSSO authentication – web-based manager:

  1. Go to User & Device > User > User Groups and select Create New.
  2. In the Name box, enter a name for the group, FSSO_Internet_users for example.
  3. In Type, select Fortinet Single Sign-On (FSSO).
  4. In Members, select the required FSSO groups.
  5. Select OK.

What is FSSO logon?

Fortinet Single Sign-On (FSSO) is the mechanism your N4L Managed FortiGate Firewall uses to transparently receive user identity information – from login events against Directory servers such as Microsoft Active Directory.

What is FSSO agent?

The FSSO Collector Agent sends Domain Local Security Group and Global Security Group information to FortiGate units. The CA communicates with the FortiGate over TCP port 8000 and it listens on UDP port 8002 for updates from the DC agents. The FortiGate unit can have up to five CAs configured for redundancy.

How do I download FSSO agent?

Upgrading FSSO Collector Agents.

  1. Download the installer from https://support.fortinet.com/Download/FirmwareImages.aspx by navigation to FSSO folder under FortiOS version that is running on the FortiGate, which communicates with the Collector Agent(s) that are going to be upgraded:
  2. Execute the installer.

How do you test FSSO?

Testing FSSO

  1. Testing FSSO.
  2. Logon to one of the stations on the FSSO domain, and access an Internet resource.
  3. Connect to the CLI of the FortiGate unit, and if possible log the output.
  4. Enter the following command:diagnose debug authd fsso list.
  5. Check the output.

How does FortiGate connect to Active Directory?

Create the FSSO collector that updates the AD user groups list

  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New.
  3. In the SSO/Identity section, click Fortinet Single Sign-On Agent.
  4. Fill in the Name.
  5. Set the Primary FSSO Agent to the IP address of the FSSO Collector Agent, and enter its password.

How do I upgrade my FSSO agent?

What is Fortinet collector agent?

In DC Agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and send the information to the collector agent, which stores the information and sends it to the FortiGate.

How do I download FortiGate FSSO agent?

How is FSSO used in FortiGate and forticache?

FSSO is a set of methods to transparently authenticate users to FortiGate and FortiCache devices. This means that the FortiAuthenticator unit is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:

How to create a user group in FortiGate?

You must create FortiGate user groups of the FSSO type and add Windows or Novell groups to them. Go to User & Device > User Groups. Select Create New. The New User Group dialog box opens. In the Name box, enter a name for the group, FSSO_Internet_users for example. In Type, select Fortinet Single Sign-On (FSSO). Select OK.

Why does FortiGate FSSO and LDAP not connect to VPN?

The VPN was up and working great, but FSSO and LDAP would not connect to servers on the other side of the VPN for lookups. This made sense because I knew the fortigate was using its outside (Public) IP for lookups and obviously that was not in my Phase 2 subnets to encrypt.

How do I install FSSO on my server?

To install FSSO, you must obtain the FSSO_Setup file from the Fortinet Support web site. This is available as either an executable (.exe) or a Microsoft Installer (.msi) file. Then you follow these two installation procedures on the server that will run the Collector agent. This can be any server or domain controller that is part of your network.

https://www.youtube.com/watch?v=yoyfSq_O49Y