Fortinet Single Sign-On (FSSO)

What is FSSO 

• FSSO is Fortinet's version of Single Sign-on (SSO) which enables users to authenticate once and access all approved applications and services on a network without having to re-authenticate each time when accessing a new resource. 

• FSSO is able to leverage directory services such as the Windows Active Directory services. 

• FSSO is able to identify the following: 

  • User's ID 

  • User's IP address 

  • User's group membership 

FSSO flow 

• The authentication servers can be Windows Server with Active Directory. 

• The authentication server has the Fortinet Collector Agent installed on it. 

• The Collector Agent sends data to FortiGate using UDP port 8002. 

• The FortiGate sends information to the FortiAuthenticator. 

• Then, FortiGate either allow or deny a user access to the network or resource. 

FSSO Deployment 

• Domain Control (DC) agent mode or polling mode for Microsoft Active Directory. 

• The polling mode operates in: 

  • Collector agent 

  • Agentless 

DC Agent Mode 

• This is the recommended mode when using FSSO with Active Directory. 

• Requires 1 DC Agent (dcagent.dll) installed on each Windows Domain Controller in the Windows/system32 directory. 

• The DC Agent is responsible for monitoring user login events which are then sent to the Collector Agents. 

• The DC Agent also handles DNS lookups 

• Install one or more Collector Agents on Windows Server, this checks for: 

  • Group validation 

  • Workstation checks 

  • Updates of logins records 

  • Sends domain local security groups, Organizational Units (OUs), and global security information to the FortiGate. 

DC Agent process 

1. The user authenticates on the Windows Domain via the Domain Controller. 

2. The DC Agent sees the login events and forwards the information to the Collector Agent via TCP 8002.  

3. The Collector Agent forwards the login events to the FortiGate via port TCP 8000. 

4. The FortiGate identifies the user based on their IP address, therefore the users will not need to re-authenticate. 

Collector Agent-based Polling mode 

• When a collector agent is installed on a Windows Server, no FSSO DC Agent is required. 

• The Collector Agent polls each DC for user login events. 

• The Collector Agent operates on SMB TCP 445 by default, but uses TCP 135, TCP 139 and UDP 137 has a fall back if the default port is not operational. 

• Using polling mode reduces the installation complexity process. 

Collector Agent-based Polling Mode Process 

1. The user authenticates to the Windows Domain via the Domain Controller (without the DC Agent installed). 

2. The Collector Agent frequently polls the Domain Controllers to collect user login events. 

3. The Collector Agent then forwards logins to FortiGate. 

Agentless Polling Mode 

• Does not scale easily as agent-based mode. 

• This mode does not require an external DC Agent or Collector Agent, therefore FortiGate collects the user login events directly. 

• For this to work, event logging is required on the Domain Controllers. 

• This polling method uses more CPU and RAM on the FortiGate device. 

• Unlike agent-based polling, this mode supports less features. 

• The FortiGate does not poll workstation. 

Agentless Poll Process 

1. The FortiGate appliance uses TCP 445 to poll the Domain Controller for user login events. 

2. The user authenticates to the Domain Controller on the network. At this time, FortiGate is able to identify login events in the next poll interval. 

Configuring FSSO 

1. On FortiGate, go to Security Fabric > External Connectors > Select the endpoint (FSSO Agent on Windows AD) > Set the Connector Settings. 

2. Next, if the Collector Agent-based or DC Agent installed, select Collector Agent > set an the IP address and password for each Collector Agent. 

3. Download the FSSO Agents from https://support.fortinet.com > Download > Firmware Images > download the DC agent > select FortiGate > Download. Match the DC agent version with the collector agent version. 

4. Start the installation of the FSSO Collector Agent process: 

   1. Run the installation as Administrator 

   2. Enter the admin account using: Domain\Username 

   3. Configure the Collector Agent for: Monitoring login events, NTLM authentication and Directory Access. 

5. DC Agent Installation: 

   1. Set the IP and port for the collector agent 

   2. Set the Domains to monitor 

   3. Remove users you do not want to monitor 

   4. Select the domain controllers to install the DC Agent 

   5. Select the Polling Mode 

   6. Add service accounts to the Ignore User List 

   7. Set the Directory Access Information modes: Standard (uses Domain\groups) or Advanced (uses LDAP format CN=user, OU=Team, DC=local). Advanced more supports nested groups. 

Troubleshooting 

• Ensure the FortiGate appliance allows the FSSO port numbers: 

  • 139 – NetBIOS 

  • 445 – SMB 

  • 389 – LDAP 

  • 636 – LDAPS 

  • 3268, 3269 – TLS 

• Ensure DNS is configured on the network. 

• Verify currently logged-on users: diagnose debug authd fsso list command or go to Dashboard > Users & Devices > Firewall Users > click on Show All FSSO Logons. 

• Check connection to FortiGate using the following commands:  

  • diagnose debug enable 

  • diagnose debug authd fsso <filter, list, refresh-groups, summary, clear-logins, refresh-logins, server-status> 

  • diagnose firewall auth <clear, filter, list>