Scribd
Upload
121 views10 pages

LAB 05 Fortinet Single Sign-On Configuration

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views10 pages

LAB 05 Fortinet Single Sign-On Configuration

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Lab 5 Fortinet Single Sign-On Configuration

Sumário
Lab 5 Fortinet Single Sign-On Configuration ................................................................................................. 3
Objectives ............................................................................................................................................. 3
Exercise 1: Configuring FortiGate for FSSO Authentication ........................................................................ 4
Review the FSSO Configuration on FortiGate......................................................................................... 4
Assign FSSO Users to a Firewall Policy.................................................................................................. 7
Test FSSO........................................................................................................................................... 8
To monitor communication between the FSSO collector agent and FortiGate .......................................... 9
To display the FSSO logon events ......................................................................................................... 9
To monitor FSSO logon events ........................................................................................................... 10

2
Lab 5 Fortinet Single Sign-On Configuration
In this lab, you will test user authentication using Fortinet Single Sign-On (FSSO). The lab uses a demo
environment to emulate the behavior of an active FSSO DC agent from the Local-Client VM using a Python
script. Therefore, you will not configure a DC agent to send logon events from the Local-Client VM.

Objectives
• Review the FSSO configuration on FortiGate

• Test the transparent or automatic user identification by generating user logon events

• Monitor the FSSO status and operation

Time to Complete

Estimated: 35 minutes

LAB-5 > Fortinet Single Sign-On Configuration

3
Exercise 1: Configuring FortiGate for FSSO Authentication
In this exercise, you will configure FortiGate for FSSO and test user authentication. The lab uses a demo
environment to emulate the behavior of an active FSSO DC agent from the Local-Client VM using a Python
script. Therefore, you will not configure a DC agent to send logon events from the Local-Client VM.

In a real-world environment, you must configure FortiGate to identify users by


polling their logon events using an FSSO agent, and you must install and
configure a collector agent. FSSO agents are available on the Fortinet Support
website (http://support.fortinet.com).

For FortiGate to communicate and poll information from the FSSO collector
agent, you must assign the polled user to a firewall user group, and then add the
user group as a source on a firewall policy.

Finally, you can verify the user logon event that FortiGate collects. This event is
generated after a user logs in to the Windows Active Directory domain.
Therefore, no firewall authentication is required.

Review the FSSO Configuration on FortiGate


You will review the FSSO configuration and FSSO user groups on FortiGate. FSSO allows FortiGate to
automatically identify the users who connect using SSO. Then, you will add FSSO user groups to the firewall
policies.

To review the FSSO server and FSSO user group configuration on FortiGate
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Fabric > External Connectors.

3. Select TrainingDomain, and then click Edit.

4. In the upper-right corner, review the Endpoint/Identity status, and see that the status
is Disconnected.

5. Leave the browser window open.

4
To run a script to simulate a user logon event
1. On the Local-Client VM, open a terminal window, and then enter the following commands to simulate a
user logon event:

cd Desktop/FSSO/

python2 fssoreplay.py -l 8000 -f sample.log

2. Keep the terminal window open.

The script continues to run in the background.

To review the FSSO connection and FSSO user groups


1. Continuing in the TrainingDomain window, click Apply & Refresh.

2. Select TrainingDomain, and then click Edit.

3. In the Users/Groups field, click View.

The TRAININGAD/AD-USERS monitored group is displayed.

4. Click X to close the Collector Agent Group Filters window.

5. Click OK.

A green up arrow confirms that the communication with the FSSO collector agent is up.

5
To assign the FSSO user to an FSSO user group
1. Continuing on the Local-FortiGate GUI, click User & Authentication > User Groups.

2. Click Create New, and then configure the following settings:

Field Value

Name Training

Type Fortinet Single Sign-On (FSSO)

Members TRAININGAD/AD-USERS

The FSSO user is automatically listed because of the selected group type—
FSSO.

3. Click OK.

6
Assign FSSO Users to a Firewall Policy
You will assign your FSSO user group as a source in a firewall policy. This allows you to control access to
network resources based on user identity.

To test the connection without assigning the FSSO user group to a firewall policy
1. On the Local-Client VM, open a new browser, and then go to https://www.fortinet.com.

You can see that all users can access the Fortinet website.

To add the FSSO user group to your firewall policy


1. Return to the browser where you are logged in to the Local-FortiGate GUI, and then click Policy &
Objects > Firewall Policy.

2. Edit the Full_Access firewall policy.

3. In the Source field, click LOCAL_SUBNET.

4. In the Select Entries section, select User, and then add the Training group.

5. Click Close, and then click OK.

7
Test FSSO
After a user logs in, they are automatically identified based on their IP address. As a result, FortiGate allows the
user to access network resources as policy decisions are made. You will test FSSO.

To test the connection after assigning the FSSO user to the firewall policy
1. On the Local-Client VM, open a new browser tab, and then go to http://support.fortinet.com.

The Python script that is running on the Local-Client VM is already sending user
logon events with the following information:

• user: aduser1

• IP: 10.0.1.10

In this case, the website loads successfully because aduser1 belongs to the
configured user group on a firewall policy.

To review the connection status between the FSSO collector agent and FortiGate
1. On the Local-FortiGate CLI, log in with the username admin and password password.

2. Enter the following commands to show the connection status between FortiGate and each collector
agent:

diagnose debug enable

diagnose debug authd fsso server-status

3. Observe the CLI output.

Your FortiGate is connected to the FSSO collector agent.

Server Name Connection Status Version Address

----------- ----------------- ------- -------

TrainingDomain connected FSAE server 1.1 10.0.1.10

8
To monitor communication between the FSSO collector agent and FortiGate
1. Continuing on the Local-FortiGate CLI, log in with the username admin and password password.

2. Enter the following commands:

diagnose debug enable

diagnose debug application authd 8256

3. On the Local-Client VM, on a terminal window, press Ctrl+C to stop the script, and then enter the
following command again to simulate a user logon event:

python2 fssoreplay.py -l 8000 -f sample.log

4. View the output of the diagnose command.

[_process_logon: 1079]: ADUSER1(10.0.1.10, 0) logged on from TrainingDomain.

[_process_logon:1122di]: ADUSER1 (10.0.1.10, 0) from TrainingDomain exists

fsae_io_ctx_process_msg[TrainingDomain]: received heartbeat 100004

fsae_io_ctx_process_msg[TrainingDomain]: received heartbeat 100005

You generated a logon event on the Local-Client VM using the script, and it was
forwarded to FortiGate.

5. Enter the following command to stop the debug process:

diagnose debug reset

To display the FSSO logon events


1. Continuing on the Local-FortiGate VM, enter the following command:

diagnose debug authd fsso list

2. Review the output, which shows the FSSO logon events.

----FSSO logons----

IP:10.0.1.10 User: ADUSER1 Groups: TRAINING/AD-USERS Workstation

C7280677811.TRAININGAD.TRAINING.LAB MemberOf: Training TRAININGAD/AD-USERS

Total number of logons listed: 1, filtered: 0

----end of FSSO logons----

9
To review the user event logs
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Log & Report > System Events, and then in the User Events widget, click the View Logs arrow.

3. Select a log, and then click Details to view more information about it.

To monitor FSSO logon events


1. Continuing on the Local-FortiGate GUI, click Dashboard > Assets & Identities, and then double-
click Firewall Users to expand it to full screen.

2. Click Show all FSSO Logons, and then click Refresh if the user's details don't appear.

LAB-5 > Configuring FortiGate for FSSO Authentication

10

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy