Created on 02-23-2020 11:53 PM Edited on 06-02-2022 09:51 AM By Anonymous
Description
This article describes a subtype for dynamic firewall address objects called Fortinet Single Sign-On (FSSO).
It can be used in all policies that support dynamic address types.
The FSSO dynamic address subtype can be used with FSSO group information being forwarded by ClearPass Policy Manager (CPPM) via FortiManager.
The FortiGate will update dynamic address used in firewall policies based on source IP information for authenticated FSSO users.
Scope
For version 6.2.2.
Solution
- Go to Policy & Objects -> Addresses -> Create New > Address.
- For type, select 'Dynamic'.
- For sub type, select 'Fortinet Single Sign-On (FSSO)'. The select entries pane opens and displays all available FSSO groups.
- Select one or more groups.
- Select 'OK' to save the configuration.
When the address table appears, there will be an error message for the address just created (unresolved dynamic address: fsso).
This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.
2) Add the dynamic address object to a firewall policy.
- Go to Policy & Objects -> IPv4 Policy.
- Create a new policy or edit an existing policy.
- For Source, add the dynamic FSSO address object you just created.
- Configure the rest of the policy as needed
- Select 'OK' to save the changes.
3) Test the authentication to add a source IP address to the FSSO user list.
- Login as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.- Go to Monitor -> Firewall User Monitor to view the user name (fsso1) and IP address.- Go to Policy & Objects -> Addresses to view the updated address table. The error message no longer appears.
- Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).
To verify user traffic in the GUI.1) Go to Log & Report -> Forward Traffic. Details for the user fsso1 are visible in the traffic log.
If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated.The IP address for user fsso2 (10.1.100.188) is now visible.2) Go to FortiView -> Sources to verify that the users were able to successfully pass the firewall policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.