/marink.me 
In my previous post↪, we discussed and set up the network topology using GNS3. This time, we’ll get into configuring Fortinet Single Sign-On (FSSO) for better network security and user authentication.
Introduction to Fortinet Single Sign-On (FSSO)
Fortinet Single Sign-On (FSSO) is a authentication solution that allows users to log in once and gain access to multiple systems without needing to re-enter credentials. This authentication process booosts security and user experience by integrating with various authentication systems such as Windows Active Directory (AD), Citrix, VMware Horizon, Novell eDirectory, and Microsoft Exchange.
FSSO works by monitoring user logon events and passing this information to the FortiGate device. When a user logs on to a workstation within a monitored domain, FSSO detects the logon event, resolves the workstation name to an IP address, determines the user groups the user belongs to, and sends this information to the FortiGate unit. This allows the FortiGate to apply appropriate security policies based on the user’s group membership.
Step-by-Step Setup of FSSO
Step 1: Understand Your Network Layout
Before starting the configuration, it’s important to understand your network. Since the last lab, I updated the topology to fit the FSSO functionality.
- FortiGate-SB Firewall
- Windows-VM-2 User: IP address 192.168.152.10/24.
- DC Server: IP address 192.168.5.10/24.
New additon is added to the Široki Brijeg Poslovnica. A Windows 2019 Server Datacenter that will be our Domain Controller for the Široki Brijeg Active Directory.
Important
Before any FSSO setup, make sure Active Directory is installed and configured, DC set as the Domain Controller and WindowsVM-2 added to the domain.
Create a test OU, group and users.
Make sure the Firewall is turned off on the DC server as to not block FSSO traffic.
Warning
Don’t forget to edit the FortiGate policies so that DC and WIN machine can communicate. We covered that in the last lab.
Step 2: Install the FSSO Collector Agent
To download the installer, you need to have a registered fortinet account. Once logged in to support.fortinet.com, select Support -> Firmware Download ->Select Product, and select FortiGate -> Download.
Complete the Fortinet SSO Collector Agent Setup Wizard:
Step 3: Configure the Collector Agent:
Once installed, navigate to the Fortinet Single Sign On Agent Configuration:
Make sure the it shows RUNNING and set up a password that will match the one on FortiGate. The 8000 and 8002 ports are default UDP ports for FSSO.
Log in to the FortiGate GUI and navigate to Security Fabric -> External Connectors -> Add new.
Primary FSSO agent ip address should be that of our DC server, and the password the same one we set in the FSSO Configuration window.
After clicking Save & Apply, you should see the FortiGate automatically added the group filters, and in DC the Status displays our Connected FortiGate.
By following these detailed steps, you can ensure that the FSSO Collector Agent is properly configured to monitor user logon events and communicate effectively with your FortiGate device.
If you encounter any issues, refer to the logs and diagnostic tools for further troubleshooting, or check this post for potential fixes.
Testing FSSO
To ensure that Fortinet Single Sign-On (FSSO) is functioning correctly, you can try logging with the test users accounts we created earlier and use the command
diagnose debug authd fsso liston the FortiGate CLI to display the current logon sessions and verify that the user information is correctly mapped.
To further validate, create a firewall policy that applies to the user group authenticated via FSSO and attempt to access resources governed by this policy. Monitor the logs to ensure that access is granted or denied as expected based on the user’s group membership. These steps will help confirm that FSSO is accurately capturing and utilizing user authentication data.