Professional Documents
Culture Documents
017 Fsso
017 Fsso
017 Fsso
© 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Directory
Services
Server
Windows Novell
Active eDirectory
Directory
Kelly Miller
$d12*h1
classroom
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Windows
Domain
Controller
trainingAD2.training.lab
trainingAD.training.lab DC agent install
Collector Agent &
DC Agent installed
6.Workstation check:
•Remote registry check to detect IP
changes
5. If authenticated and in an •Connect to TCP 139/445 (if fails,
allowed user/group, change the state to unknown)
client traffic allowed through • Open registry, if fails, set state to
firewall policy unknown
•Check for user hive in registry,
set state to USER LOGON
or USER LOGOFF
1. Logon to trainingAD2.training.lab
User1 User2
1. Logon to trainingAD.training.lab
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Monitor user
logon events
Enable
authentication
between
FortiGate unit
and collector
agent
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Create logon
event
separately
AD Access Mode
Standard mode
Advanced Mode
10
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Collector
DC
FSSO
Agent
Windows
Server
Windows
Domain
Controller
11
12
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Collector
Agent
Windows
Server
DC
Agent
Windows
Domain
Controller
User
Logon
Event
13
DC
Agent
Windows
Domain
Controller
User
Logon
• The FortiGate unit determines access based on the user’s Event
group membership and firewall policies for the destination
14
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
Collector
Agent ?
Windows
Server
Windows
Domain
Controller
User
Logon
Event
15
16
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
17
Collector
?
Agent
Windows
Server
Windows
Domain
NTLM negotiation
Controller
User
Logon
Event
18
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
19
FSSO Troubleshooting
20
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
FSSO Troubleshooting
----FSSO logons----
IP: 192.168.3.1 User: ADMINISTRATOR Groups:
TRAININGAD/DOMAIN USERS+TRAININGAD/USERS
IP: 192.168.3.168 User: USER1 Groups:
TRAININGAD/STUDENTS+TRAININGAD/DOMAIN
USERS+TRAININGAD/USERS
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
21
FSSO Troubleshooting
• Additional commands:
» diag debug auth fsso <parameter>
22
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
FSSO Troubleshooting
23
Labs
24
01-50000-0301-20130215-C
Course 301 - Secured Network Deployment and IPSec VPN Fortinet Single Sign On (FSSO)
25
01-50000-0301-20130215-C