Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ESCHAN_FTNT
Staff
Staff

Created on ‎09-14-2017 01:19 AM Edited on ‎01-31-2024 06:07 AM By Moderator

Article Id 189475

Technical Tip: How to configure FSSO authentication on Explicit Proxy policy on v5.6

Description

Prior to v5.6, explicit proxy policy with authentication has been treated as Identity-based firewall policy, this is different compared to IPv4/IPv6 firewall policies with authentication. On  FortiOS 5.6 onwards, Explicit proxy policy is implemented to be similar to  IPv4/IPv6 firewall policies, where fall-through feature is implemented.

On firmware v5.4, v5.2 and v5.0, for explicit proxy policy, it is necessary to select the action to authenticate, configure the individual authentication rule and specify the authentication method, such as FSSO, NTLM, etc.
 
However on firmware 5.6.0 onwards, the authentication method can not be specified on explicit proxy policy, and manually added user group on the explicit proxy policy will not work.


Solution

This article focuses on FSSO authentication on explicit proxy policy.  Other authentication methods would have to be configured in a similar manner.  On firmware 5.6.0 onwards, authentication is being separated from authorization (explicit proxy firewall policy).  Authentication for explicit proxy can only be configured via CLI on v5.6.  The command is shown below:
config authentication scheme
    edit "FSSO"
        set method fsso
    next
end

config authentication setting
    set sso-auth-scheme "FSSO"
end

config authentication rule
    edit "FSSO_Rule"
        set srcaddr "all"
        set sso-auth-method "FSSO"
    next
end

The above configuration will specify to use FSSO as the authentication method for explicit proxy policy.  Once the corresponding FSSO user group has been added into the explicit proxy policy, it will works as expected.

Connectivity can be verified as follows:
1000C # diagnose firewall auth list

10.125.0.82, ALLOW1
        type: fsso, id: 0, duration: 5, idled: 5
        server: FSSO
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 2
        group_name: FSSO_Allow
----- 1 listed, 0 filtered ------

1000C # diagnose wad user list
ALLOW1 10.125.0.82               id:7 VD: root, duration: 5
 auth_type=1 auth_method=5 pol_id=1 g_id=2 user_based=0 expire=-1
  LAN:
    bytes_in=15248 bytes_out=128139
  WAN:
    bytes_in=127419 bytes_out=11988

auth_method=5 indicates that authentication is based on FSSO.

It should be noted that both the firewall auth list and the wad user list must contain the logon information for the same user for it to work correctly.
 

 

10146
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.