Scribd Logo
Upload

Welcome to Scribd!

  • 45 views

    017 Fsso

    Uploaded by

    Bayu Alam

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    017 Fsso

    Uploaded by

    Bayu Alam
    45 views13 pages

    Original Title

    017_FSSO

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    45 views13 pages

    017 Fsso

    Uploaded by

    Bayu Alam

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 13

    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On


    Module 17

    © 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
    1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

    Module Objectives

    • By the end of this module participants will be able to:


    » Describe how domain login credentials can be used to authenticate users to the
    FortiGate device
    » Configure Fortinet Single Sign On (FSSO)

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Directory Services Authentication

    Directory
    Services
    Server

    Windows Novell
    Active eDirectory
    Directory

    Kelly Miller
    $d12*h1
    classroom

    Directory Services Authentication

    • User authenticates to Directory Services at


    logon
    » Windows Active Directory
    » Novell eDirectory
    • Authentication information is passed to the Directory
    FortiGate unit Services
    » User automatically gets access to permitted Server
    resources – no further authentication
    • Requires successful login to domain to Windows Novell
    work Active eDirectory
    Directory

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On

    Detects logon event


    Records workstation name, domain and user FSSO
    Resolves workstation name to IP address
    Determines groups user belongs to Windows
    Sends logon information to the FortiGate unit Server
    Creates a log entry on the FortiGate unit

    Windows
    Domain
    Controller

    • FSSO monitors user logins to each workstation


    and passes information to FortiGate unit
    Kelly Miller
    $d12*h1 • When user tries to access a network resource,
    the FortiGate unit selects appropriate firewall
    classroom

    policy (User must belong to a permitted user


    group associated with that policy)

    FSSO Process Flow

    3. Collector agent looks up user/user group


    using domain name/user name
    Resolves workstation name to IP Address
    using remote registry check

    trainingAD2.training.lab
    trainingAD.training.lab DC agent install
    Collector Agent &
    DC Agent installed

    6.Workstation check:
    •Remote registry check to detect IP
    changes
    5. If authenticated and in an •Connect to TCP 139/445 (if fails,
    allowed user/group, change the state to unknown)
    client traffic allowed through • Open registry, if fails, set state to
    firewall policy unknown
    •Check for user hive in registry,
    set state to USER LOGON
    or USER LOGOFF
    1. Logon to trainingAD2.training.lab

    User1 User2
    1. Logon to trainingAD.training.lab

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Comparing AD Access Modes

    Standard Access Mode

    • Configuration on user group level


    • Cannot configure specific user for FSAE authentication
    • Protection profile applied to user group

    Advanced Access Mode (Recommended)

    • Combination of user group or individual user (for example, User1)


    • Flexibility to control FSAE authentication for users within same group
    • Protection profile can be applied to individual user
    • Must configure LDAP server on FortiGate unit to allow Active Directory
    Advanced Access Mode to work (it is not required for Standard Access Mode)
    • LDAP search used on user or group information

    Collector Agent Configuration

    Listening port for DC agent Enable/disable


    Default port udp 8002 NTLM authentication

    Monitor user
    logon events

    Listen port for


    FortiGate unit
    Default is 8000

    Enable
    authentication
    between
    FortiGate unit
    and collector
    agent

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Collector Agent Configuration

    Specify the log file size limit


    If full, a new log will be generated

    Create logon
    event
    separately

    AD Access Mode

    Standard mode

    Advanced Mode

    10

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On Components

    Collector
    DC
    FSSO
    Agent

    Windows
    Server

    Windows
    Domain
    Controller

    11

    Fortinet Single Sign On Components

    • Depending on the working mode chosen for monitoring FSSO


    Collector
    DC
    Agent
    user logon events, the following components may be
    installed:
    » FSSO Collector Agent
    » FSSO Domain Controller Agent
    Windows
    • Two possible working modes Server
    » Domain Controller Agent mode
    » Polling mode
    Windows
    Domain
    Controller

    12

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On Domain Controller Agent Mode

    Collector
    Agent

    Windows
    Server

    DC
    Agent

    Windows
    Domain
    Controller
    User
    Logon
    Event

    13

    Fortinet Single Sign On Domain Controller Agent Mode

    • Domain Controller Agent is installed on each domain


    controller to monitor user logon events
    • Collector Agent installed on Window Server receives the Collector
    logon event information from the DC Agent and forwards Agent

    to FortiGate unit Windows


    Server

    DC
    Agent

    Windows
    Domain
    Controller

    User
    Logon
    • The FortiGate unit determines access based on the user’s Event
    group membership and firewall policies for the destination

    14

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On Polling Mode

    Collector
    Agent ?
    Windows
    Server

    Windows
    Domain
    Controller
    User
    Logon
    Event

    15

    Fortinet Single Sign On Polling Mode

    • Polling mode does not require a Domain Controller Agent to be


    installed on each domain controller
    • A Collector Agent installed on a Window Server will poll the
    domain controller for user logon information every few Collector
    seconds and forwards it to the FortiGate unit Agent

    • Can also do polling direct from FortiGate unit without Client


    install within network
    • More CPU/Memory required than DC agent

    16

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Comparing DC Agent Mode to Polling Mode

    DC Agent Mode Polling Mode


    Installation Complex - Multiple Easy — one/no installation,
    installations (one per DC), no reboot required
    requires a reboot
    Resources Shares with DC system Has own resources
    Network Load Each DC agent requires Increasing polling period
    64kbps bandwidth which during busy times can
    adds to network load reduce network load
    Redundancy Yes - no single point of No - no backup systems
    failure
    Level of Confidence Guaranteed to capture all Potential to miss a login if
    logons polling period is too high

    17

    Fortinet Single Sign On Using NTLM Authentication

    Collector

    ?
    Agent

    Windows
    Server

    Windows
    Domain
    NTLM negotiation
    Controller
    User
    Logon
    Event

    18

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Fortinet Single Sign On Using NTLM Authentication

    • Fortinet Single Sign On can also provide NTLM


    authentication
    • The FortiGate unit will initiate an NTLM
    negotiation with the client browser
    » The FortiGate unit forwards the NTLM packets to
    the Collector Agent for processing
    • The FortiGate unit determines access based on
    the user’s group membership and firewall
    policies for the destination

    19

    FSSO Troubleshooting

    • Check connectivity between FSSO and the FortiGate unit


    » On FortiGate unit run:
    diagnose debug auth fsae server-status

    Server Name Connection Status


    ----------- -----------------
    training2003 connected
    trainingAD_adv connected

    » On FSAE collector agent run:


    netstat –a –o –n

    » Shows port 8000 sessions between FortiGate unit and FSSO


    TCP 192.168.3.225:8000 192.168.3.254:5446 ESTABLISHED 1500
    TCP 192.168.3.225:8000 192.168.3.254:5447 ESTABLISHED 1500

    20

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    FSSO Troubleshooting

    • To show FSSO logon user(s):

    diag debug auth fsso list

    FSSO Standard Mode output:

    ----FSSO logons----
    IP: 192.168.3.1 User: ADMINISTRATOR Groups:
    TRAININGAD/DOMAIN USERS+TRAININGAD/USERS
    IP: 192.168.3.168 User: USER1 Groups:
    TRAININGAD/STUDENTS+TRAININGAD/DOMAIN
    USERS+TRAININGAD/USERS
    Total number of logons listed: 2, filtered: 0
    ----end of FSSO logons----

    21

    FSSO Troubleshooting

    • Additional commands:
    » diag debug auth fsso <parameter>

    clear logon clear logon information


    list list current logons
    refresh-groups refresh group mapping
    refresh-logons resync logon database
    server status show FSSO server connection status
    summary summary of current logons

    » diag firewall auth clear (clears ALL authenticated users)


    » diag firewall auth filter (to filter specific group, id and etc)
    » diag firewall auth list (to list authenticated users)

    22

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    FSSO Troubleshooting

    • diag fire auth list

    policy id: 8, src: 192.168.3.168, action: accept,


    timeout: 34
    user: USER1, group: TRAININGAD/STUDENTS
    flag (100020): auth fsso, flag2 (40): exact
    group id: 2, av group: 0
    ----- 1 listed, 0 filtered ------

    23

    Labs

    • Lab 1: Fortinet Single Sign on


    » Ex 1: Installing FSSO on the Windows Server
    » Ex 2: Configuring FSSO on the FortiGate Unit
    » Ex 3: Testing FSSO on Authentication

    24

    01-50000-0301-20130215-C
    Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)

    Classroom Lab Topology

    25

    01-50000-0301-20130215-C

    You might also like