Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager

Created on ‎02-23-2020 11:53 PM Edited on ‎06-02-2022 09:51 AM By Anonymous

Article Id 194300

Technical Tip: FSSO dynamic address type

Description
This article describes a subtype for dynamic firewall address objects called Fortinet Single Sign-On (FSSO).
It can be used in all policies that support dynamic address types.
The FSSO dynamic address subtype can be used with FSSO group information being forwarded by ClearPass Policy Manager (CPPM) via FortiManager.
The FortiGate will update dynamic address used in firewall policies based on source IP information for authenticated FSSO users.

It also can be used with other FSSO groups provided by the FSSO collector agent or FortiNAC.


Scope
For version 6.2.2.

Solution

To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI.
 
1)  Create the dynamic address object.
 

- Go to Policy & Objects -> Addresses -> Create New > Address.
- For type, select 'Dynamic'.
- For sub type, select 'Fortinet Single Sign-On (FSSO)'. The select entries pane opens and displays all available FSSO groups.
- Select one or more groups.
- Select 'OK' to save the configuration.

 
 
When the address table appears, there will be an error message for the address just created (unresolved dynamic address: fsso).
This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

2)  Add the dynamic address object to a firewall policy.

- Go to Policy & Objects -> IPv4 Policy.
- Create a new policy or edit an existing policy.
- For Source, add the dynamic FSSO address object you just created.
- Configure the rest of the policy as needed
- Select 'OK' to save the changes.
 

 
 
3) Test the authentication to add a source IP address to the FSSO user list.

- Login as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
- Go to Monitor -> Firewall User Monitor to view the user name (fsso1) and IP address.
 
 
 
- Go to Policy & Objects -> Addresses to view the updated address table. The error message no longer appears.
- Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).
 
 
 
To verify user traffic in the GUI.
 
1) Go to Log & Report -> Forward Traffic. Details for the user fsso1 are visible in the traffic log.
 
 
Goli-2.jpg
 
If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated.
The IP address for user fsso2 (10.1.100.188) is now visible.
 
2) Go to FortiView -> Sources to verify that the users were able to successfully pass the firewall policy.
 
 



Labels:
1956
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.