FSSO in Polling mode

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will configure Fortinet Single Sign-On (FSSO) directly in the security policy using the new FSSO wizard introduced in FortiOS 5.2.2.

This example uses Active Directory polling to establish FSSO for a Windows AD Domain Controller, without requiring a FortiAuthenticator or a collector agent to act as an intermediary between the FortiGate and the domain.

1. Adding LDAP authentication to the FortiGate

In the FortiGate web interface, go to User & Device > Authentication > LDAP Servers. Create a new LDAP object that points to the Windows AD server.

For the Server IP/Name enter the server’s fully qualified domain name or the IP address.

Set the Bind Type to Regular and enter a User DN and Password.

Click Fetch DN to retrieve your Distinguished Name.

 

Click Test and verify that your connection is successful.

 

2. Configuring the FortiGate unit to poll the Active Directory

Next, go to User & Device > Authentication > Single Sign-On and add a new Single Sign-On Server.

For the Type, select Poll Active Directory Server. Enter the Server IP/Name, User, and Password, then select the Server you added previously. Make sure Enable Polling is checked. Add a test user group of your choice.

 

3. Adding a firewall address for the Internal network

Go to Policy & Objects > Objects > Addresses and create an internal network address to be used by your security policy.

 

4. One-step FSSO configuration in the security policy

Go to Policy & Objects > Policy > IPv4 and edit a security policy with access to the Internet. Set the Source Address to the Local_LAN address created in Step 3.

 

 
Under Source User(s) scroll down past the dropdown menu, and select Create Users/Groups wizard.  
For the User/Group Type, select FSSO and then click Next.  

For the Remote Group, select the appropriate FSSO Agent from the dropdown menu.

Select the Groups tab and right-click on the user groups you would like to add.

Go to the Selected tab. In this example, Standard_User_Group and Admin_User_Group are shown.

Click Next.

 

Select Create New and name your new FSSO user group. 

Click Create.

 
The groups selected have been added to the new FSSO group, My_Windows_AD_Group.

Ensure you enable logging and select All Sessions.

 

In the Global View your completed policy should look similar to the screenshot shown on the right.

If necessary, select the policy by clicking on the far left column, and move it as close as possible to the top of the list.

 

5. Results

Go to Log & Report > Traffic Log > Forward Traffic.

When users log into the Windows AD network, the FortiGate will automatically poll the domain for their account information and record their traffic. 

 
Select an entry for more information. 

For further reading, check out Single Sign-On to Windows AD in the FortiOS 5.2 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
This recipe requires that your FortiGate’s DNS point to a DNS server that can resolve the IP addresses or fully qualified domain names of the users’ PCs.
You must add at least one user group to create your SSO server.
To add multiple groups, hold the Shift key and click.
To see these groups go to User & Device > User > User Groups.
All other policies must deny Internet access in order for the user to be forced to authenticate.
  • Belal Adel

    hi i
    have problem when used fsso old users authentication fail but when
    create new user on active directory this user worked fin

  • Hazem

    Hi Kayla,

    Will there be a recipe for FSSO polling mode in FortiOS 5.4?

    • Victoria Martin

      Hi Hazem,

      This recipe is on our list to get updated, though because 5.4 and 5.6 are quite similar it will likely only be updated for the latter.

  • William Bain

    Hi,

    we’re part of a large organisation where we have single domain which is managed centrally. What permissions does the AD account need to be able to successfully poll as I need to request an account with the correct privileges ..??

    • William Bain

      also, on the Single Sign-On configuration page what’s the different between the “server / IP entry” and the “LDAP server”, won’t these be the same?

      • Keith Leroux

        Hello Mr.Bain,
        Thank you for contacting us with your query! Given that you are a large organization with a specific network topology, I recommend contacting support.fortinet.com in order to get your issue resolved as quickly as possible. Once your issue is resolved by Support, don’t hesitate to contact us again if you wish to have our documentation updated accordingly.
        Cheers~

  • Yury Tyumin

    HI,
    I use FSSO in Polling mode.
    But if I add a member to the AD group, on Fortigate information does not appear immediately.
    How it accelerate?

  • Tijmen Schoemaker

    Hmm, we are having troubles with our FSSO.

    DC1FWP010 # diagnose debug fsso-polling detail
    AD Server Status:
    ID=1, name(10.221.42.5),ip=10.221.42.5,source(security),users(0)
    port=auto username=prodaa_xxxxx
    read log offset=502967041, latest logon timestamp: Mon Jan 25 11:16:25 2016

    polling frequency: every 10 second(s) success(161), fail(0)
    LDAP query: success(0), fail(0)
    LDAP max group query period(seconds): 0
    most recent connection status: connected

    Group Filter:
    CN=DL FNC – Gebruikers – InternetToegang – Standaard,OU=Functionele Groep,OU=sHL Groepen,DC=prod,DC=shl,DC=local+CN=Domain Users,CN=Users,DC=prod,DC=shl,DC=local

    And

    DC1FWP010 # diagnose debug authd fsso server-status

    DC1FWP010 #
    Server Name Connection Status Version
    ———– —————– ——-
    Local FSSO Agent connected FSAE server 1.1

    It doesnt read any users. Any ideas?

    • Victoria Martin

      Hello Tijmen,

      For this issue, I would recommend contacting Fortinet Support, so they can take a look at your configuration. We have a useful article about working with support that I would recommend you read, to make sure you have all the information they’ll need ready for them: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      I hope that helps!

  • Robert Groenewald

    Hello,
    Since the Fortigate can do an AD lookup via DNS.. Can you also configure “domain.tld” as the LDAP/FSSO server? I have created an LDAP server with my internal domain name ( that will resolve to both of my DC’s ) and it seems to work fine.

    The user lookup is only a read on AD, so the DNS load balancing will do the work for you?

    I’m very curious about this one, and if needed I can open a ticket for this.

    Thanks

    • Taher Elbar

      Hi Robert,
      The FortiGate support AD and LDAP lookup via DNS when you set up the FSSO and LDAP servers, so you can put the FQDN of the server instead of it’s IP address.
      Regards,
      Taher.

      • Robert Groenewald

        Hi Taher,
        Yes the name resolving makes sense.. But when you are in a domain, and you have multiple DC’s they will all listen to you main domain name ( example.local ).

        That means you don’t have to point to an exact server, but you can point it to “example.local” and it will automatically resolve to the fastest DC. The same way windows machines find their nearest and fastest DC.

        But my question is if the fortigate needs to have a specific machine name/ip to poll. As I see it now it should work with the domain name.

        Thanks

        • Taher Elbar

          Correct, the main domain name.
          Taher.
          Taher.

          • Robert Groenewald

            Thank you for your aswer!

  • Pablo

    Tengo dos DC y se ha configurado 2 FSSO en modo Polling. Hay usuarios que apuntan al servidor DC secundario y no tiene acceso a Internet. Solo los usuarios que apuntan al servidor DC primario si navegan. Mi consulta es, si tengo los dos FSSO configurados, ¿el Firewall solo va validar los logons de los usuarios del primer FSSO? ¿ Como se que FSSO es primario, solo por el orden en que se muestra listado? Si apago el servidor DC primario ¿el Firewall automaticamente recuperará los logons del servidor DC secundario?

    I have two servers DC and configured 2 FSSO in Polling mode. There are users who point to the secondary server DC and has no access to the Internet. Only users point to the primary server DC sailing . My question is, if I have two FSSO configured, the firewall will only validate user logons of first FSSO? How is that FSSO is primary, just to list the order shown? If I turn off the primary server DC does the Firewall automatically retrieve DC logons secondary server?

    • Taher Elbar

      Hi Pablo,
      You can configure your two DCs in one SSO. In case you need to use two different SSO, then each of them will be functioning separately which mean each SSO needs it’s complete steps of configuration as shown in the recipe.
      Regards,
      Taher.

      • Pablo

        In the first case, i need install the agent for each server? The firewall has configure two SSO in polling mode as shown in the recibe but i do not if the firewall register the logons user of both fsso because there are users who lose Internet any moment

        • Taher Elbar

          Hi,

          In polling mode there is no agent has to be installed. For the internet disconnection you may open a ticket with support: https://support.fortinet.com/

          Regards,
          Taher

  • Nuno Neves

    I have fortigate 40C and I dont have the GUI with all of the option available. So I’m trying to do this by CLI. Is the any tutorial to do this ? I ‘m having problem with the creation of FSSO Group… The only information a have is “Failed to add AD Groups”…

    • Victoria Martin

      Hi Nuno,

      I am looking into this issue and will get back to you as soon as possible.

  • Ghuffy Avue

    Hi

    I have 3 Domain Controllers so do I have to add all 3 DCs as a single sign on server and also as a LDAP servers.

    If all 3 DCs to be addedd as a single sign on & LDAP, do I have to add same groups from 3 DCs when i am adding single sign on server or just only from Global Catalog DC group will work.

    • Louis

      Same question here. I would like to know the answer please.
      Furthermore, if using only one LDAP, you don’t have redundancy. So how do you achieve redundancy?

      • Taher Elbar

        Hi Louis,
        1. Please see answer above.
        2.
        – If you mean LDAP Server redundancy, you need to set a cluster containing two or more LDAP server, the FortiGate will pull logons information from the alive LDAP Server.
        – If you mean FortiGate redundancy, then you need to set High Availability which require a second FortiGate unit.
        Regards,
        Taher.

    • Taher Elbar

      Hello,
      When using multiple DCs, you can add them as a single sign on and also as an LDAP servers. Now it depends if you have set SAME groups in all DCs, then you do not need to add all DCs containing the SAME groups.
      Taher.
      Taher.

  • Gforce

    Hi,

    when i type diag debug fsso-polling detail, i get the following:
    polling frequency: every 10 second(s) success(120), fail(0)
    LDAP query: success(207), fail(136)
    LDAP max group query period(seconds): 1
    Number of users logged in:
    Within 1 sec: 0(0.00%)
    Within 1-5 secs: 6(54.55%)
    Within 5-10 secs: 5(45.45%)
    Within 10-15 secs: 0(0.00%)
    Within 15-20 secs: 0(0.00%)
    Within 20-25 secs: 0(0.00%)
    Within 25-30 secs: 0(0.00%)
    Within 30-60 secs: 0(0.00%)
    Beyond 60 secs: 0(0.00%)
    most recent connection status: connected

    why am i getting alot of LDAP query fails?

    thanks

    • telbar

      Hello,

      As it’s configured, LDAP query happens every second or less (“LDAP max group query period(seconds): 1”).
      The failed query may be due to a Network/bandwidth congestion.. To debug this, you need to get the output of the following command when the problem happen:

      diag debug reset
      diag debug enable
      diagnose debug application fnbamd -1
      Regards,
      Taher.

      • Gforce

        Hi Telbar,

        So what am i looking for in the results?

        I’m looking for as much troubleshooting as i can to try to resolve random logon prompts to the end users. I have firmware 5.2.2.. We have a windows 2012 R2 domain with two domain controllers added to fortigate as the LDAP servers. Only the operations master is set in the single sign on page.

        Thanks

        • telbar

          Hello,
          Can you elaborate more about “random logon prompts to the end users” ?
          The above given commands helps troubleshooting the authentication phase.
          Regards,
          Taher.

          • Gforce

            Hi,

            I have the fortgate 100D set to explicit proxy. The internet rule is set to authenticate. SSO method is FSSO. Default auth is Basic. Randomly throughout the day, users will get a dialog box to enter credentials to browse the internet. If they log out and log back in internet browsing will work. Some time later they’ll go to browse the internet again and IE will pop up with the login box. Doesn’t happen all the time but for some users they’ll get the dialog atleast once a day.

            Thanks

          • telbar

            Hi,
            This because of user’s session has expired, thus users are required to authenticate again.
            To modify session-ttl in the firewall policy:
            Config firewall policy
            edit
            set session-ttl // integer is a value between 300 and 604800 seconds or 0 for using system default value.
            end
            Regards,
            Taher.

          • Gforce

            Hi Taher,
            Does this setting exist for explicit proxy policies?
            Its operating in NAT mode, not transparent.

            Thanks

          • Taher Elbar

            Hi,
            When using “firewall explicit-proxy-policy”, there is no session-ttl parameter because the FortiGate is acting on behalf of something else. So either the Server or the “something else” that the FortiGate is acting on behalf of it is timing out the session which requires users to authenticate again.
            Taher.

          • Gforce

            So are there any commands i can run or some type of troubleshooting to determine why this is happening?

            Thanks

          • Taher Elbar

            Hi,
            Here is the troubleshooting guide: http://docs.fortinet.com/uploaded/files/2156/Troubleshooting-522.pdf

            You can also open a ticket with support: https://support.fortinet.com/

            Taher.

  • Thiago Prado

    The agent is collecting logon data but the Fortigate unit does not recognize the user passing through as an authenticated FSSO group member. How can I debug the issue? I have run “di de en” with “di de app authd -1” and all I get is:
    _event_read[EPE]: received heartbeat 102020
    message_loop: checking timeouts
    message_loop: checking timeouts

    How can pinpoint the issue and fix it?

    • telbar

      Hello,

      To troubleshoot this, you need to get the output of the following:

      diag debug reset
      diag debug enable
      diag debug fsso-polling

      the options are:

      summary //Show FSSO AD Server Summary.
      detail // Show FSSO AD Server Detail.
      client // Show FSSO AD Server Clients.
      user // Show FSSO AD Server users.
      refresh-user // Refresh FSSO AD Server users.
      set-log-source // Source of event log.
      Regards,
      Taher.

      • Thiago Prado

        I had to use the following to make it work:

        config user fsso-polling

        edit 1
        set server “10.0.0.10”
        set user “EXAMPLE\Administrator”
        set password ENC XCRATImq8g/CNu4ng
        set ldap-server “EXAMPLE_LDAP”
        config adgrp
        edit “CN=Domain Users,CN=Users,dc=example,dc=local”
        next
        end
        next
        end

        with correct user, password, server and group.

        after that it worked.

  • Nuno

    It is possible to have multiple policies with different source users ?

    • Victoria Martin

      Yes it is.

  • Sean Jenkins

    If you have multiple Domain controllers is it just a case of adding them all in step 2?

    • Kayla Robinson

      Hi Sean,
      Yes, you can add multiple Domain Controllers in Step 2. Simply click the “Create New” button to add any additional DCs.

  • Bellissima

    Why does step 2 require AD credentials to be re-entered when they were configured in the previous step 1 for adding the LDAP server?

    Step 2 does not add any groups whereas the video version of this recipe adds the administrator group at this step. Is the administrator group addition not necessary at this point? If not, what is the use case for adding it?

    • Kayla Robinson

      Hi Bellissima,

      Thanks for your comments, hopefully this will clear things up:

      In step 2, you must configure your SSO server by entering the same LDAP credentials added in step 1. The SSO server provides user authentication. If an SSO server is not configured in Step 2, you will not be able to select your SSO server from the FSSO agent dropdown menu when using the FSSO wizard in step 4.

      Cookbook Videos may differ slightly from original recipes to showcase additional information, since they are often developed independently. The video shows adding an administrator group in Step 2 because the FSSO wizard will not allow you to create an SSO server without at least one user group. I will add a note about this in the recipe.