Fortigate Directory Services Authentication

The Fortinet Firewall is capable of integrating with the Microsoft Active directory.

It can use the following Methods:

I. Fortigate FSAE/FSSO

This feature provides a transparent authentication for the users.

 

In the older version you can fin it named as FortinetFSAE, but in the new versions it appears are Fortinet FSSO.

The Fortigate FSAE/FSSO is composed of the following 2 softwares:

1. Domain Controller Agent

This software monitors the user login. This software is deployed on the Domain Controllers of the users domain. You can find it in C:\Windows\System32\dcagent.dll

2. Collector Agent

This is the ‘master’of the application. This software sends the info gather from the Domain Controller Agent to the Fortigate Firewall.
It performs the following tasks:
a. Looksup the group in the domain/user information
Uses DNS lookup then if that is not present it check the users local cache then the WINS server, user Hosts file etc.
To monitor when a users logg off, the FSAE/FSSO needs read only access on TCP port 139 or 445 on the clients registry.

b. Resolves the Workstation name to an IP address
This detects when a users logs off of one PC. It controls if the users is logged on every 5 minutes.
It uses the Dead Entry Removal for workstations that cannot be looked up. It is controlled by the “dead entry timeout””, with a default of 8 hours. So if a PC cannot be be checked if an user logged of it uses this default, to log it off automatically.

c. Sends the IP address/group to the Fortigate
 
 
 

II. Fortigate NTLM-based Authentication

This method basically removes the need to install FSAE collector agent on every DC. It prompts the user for credentials and then it checks with the Domain Controller if everything is working fine.

 

FSAE/FSSO General Hints

1. Must be configured on each Domain Controller that has a collector agent installed:
a. Windows Active Directory user groups
b. Collector agent settings, including the Domain Controller to be monitored
c. Collector agent ignore user list
d. Collector Agent Fortigate Group filter for each Fortigate unit

 

 

2. Configuring FSAE/FSSO on the Fortinet Firewall:
a. Specify a domain admin user(with the credentials that do not expire) to the Windows Active Directory Server
b. Specify the Active Directory Servers that contain the FSAE/FSSO collector agent
c. Add the Active Directory user groups to new or existing Fortigate user groups
d. Create Firewall policy for Active Directory server groups

 

 

3. IP Address Lookup
The Collector agent will perform IP address lookup to detect any IP address hanges of a workstation while the user is still logged into the domain.
The IP address change verify interval value has a default value of 60 seconds.

 

 

4.Configure Alternate User IP address Tracking

In environment where user IP address change frequently, FSAE can be modified to respond more quicklye by modifing the registry.

 

 

5. Workstation Lookup
This allows the Fortigate to detect a user logoff from a workstation.
Default – 5 minutes
Disabled – 8 Hours

 

 

 

If you have any comments or questions please do not hesitate to ask.

Have a great day,
Daniel

8 Responses to “ “Fortigate Directory Services Authentication”

  1. more says:

    That is the suitable blog for anybody who wants to find out about this topic.
    You notice so much its virtually exhausting to argue with you (not that I really would need…HaHa).
    You definitely put a new spin on a topic thats been written about for years.

    Great stuff, just great!

  2. This blog was… how do I say it? Relevant!!

    Finally I’ve found something which helped me. Thanks!

  3. One or more projectors are used to process programs.

    Actually, the cinema home systems subject is invaded
    by different terms which describe the same thing. 9:30 pm Street Smarts:
    YAK Films’ Dance Then and Now – YAK Films is an international media production team whose work
    with urban dance began with the legendary Turf Feinz crew in Oakland, CA, innovators of the Turf dancing style.

    Here is my blog post: The Amazing Spider-Man 2 Film complet

  4. If you want a smaller but higher quality picture then a Plasma TV would be a
    good option as these can be purchased at sizes up to 65 inches, and therefore still providing you with a big screen viewing experience.
    with this special “Twiathlon” ticket, you are sure to be one of the first to see this epic saga continue unfolding.
    9:30 pm Street Smarts: YAK Films’ Dance Then and Now – YAK Films is an international media production team whose
    work with urban dance began with the legendary Turf Feinz crew in Oakland, CA, innovators of the Turf dancing style.

    Look into my page :: le soldat de l’hiver film entier

  5. Mohamed says:

    Dear Daniel,
    thatnk you very much for this artical, as I found it very helpful,

    but I have a problem the FSSO logen expires every 5 min, so I changed the settings in authentication tape to be 500 Min, but I did’t get any result and all FSSO users not authenticated.

    If you have any solution, please provide it to me.

    Best Regards
    Mohamed Abdel Rahman

  6. nitro cars says:

    My loved ones loves the RC car challenges and that i love thinking up new games and course for your
    kids to truly enjoy. Oncce you’ve deccided upon the body stylle and
    layout that’s rigfht for you, however, you may find yourself facing one additional choice.
    In standard, the smaller a great RC car is normally, the mor expensive
    it will be, as well.

  7. They are trying to sell a product, not inform the public.
    Brushing alone with baking soda alone can be a little unpleasant,
    though highly effective. Usually, you’d be able
    to figure out where you’d put them.

  8. Michele says:

    Thanks , I have just been searching for info about this topic for a while and yours is the best I’ve discovered so far.
    However, what in regards to the bottom line? Are you positive concerning the source?

    my blog :: weight loss diets – Michele,

Leave a Reply

Your email address will not be published. Required fields are marked *