Fortigate User and Authentication

-

 

=======Active Authentication==========

1. local user and group

2. Server-based password authentication

  • Create a local user account, and specify the server to verify password
  • Create a Firewall type group, add local users or map it to a remote LDAP group.

3. MFA
     two free tokens
     User & Authentication > Fortitoken

     For administrator, assign a token to an administrator, an email with barcode will be sent out, open Fortitoken mobile app, scan the barcode.


User group Types:

  • Firewall
  • Guest - wireless guest 
  • FSSO  - AD/LDAP
  • RSSO  - Radius

Protocol trigger active authentication: http/https/ftp/telnet

Active authentication is intended to be used as a backup when passive authentication fails.


========Passive Authentication==========

1. FSSO and DC agent

This is used to get user/IP mapping from AD, so FW knows which user owns a session.

  • Domain Controller (DC) agent
  • Citrix/Terminal Server (TS) agent
  • Collector agent (CA)

FSSO mode:

# DC mode: DC Agent is installed on each domain controllers, at least one Collector agent (CA) is installed on a domain member server. DC Agent sends info to CA, CA sends info to Fortigate.  

# Polling mode: One CA is installed on one domain member server, it polls info from DC without agent installed on DC.. 
In polling mode there are three options: NetAPI polling, Event log polling, and Event log using WMI.

# Agentless: Fortigate collects data directly from domain controller, event Log Polling is used. Less some features.

DC agent mode is the standard mode for FSSO. 


2. FSSO Configuration

2.1 Agentless Polling Mode

     Security Fabric > External Connectors > Poll Active Directory Server, specify LDAP server info.

2.2 Collector agent-based polling or DC Agent Mode

      Security Fabric > External Connectors > FSSO Agent on Windows AD


diag debug enable
diag debug authd fsso server-status
diag debug authd fsso list


3. FSSO TS

    diag debug authd fsso ....
    diag debug authd fsso-polling ....


4. Create FSSO type user group, then use the group in Firewall Policy


     

===================

 LDAP 

This used to pull AD group from AD, then these AD groups can be used in security policy or firewall admin access.


Type of User Group
1. Firewall - can be local group or remote group.
2. Guest
3. FSSO - Fortinet single sing-on
4. RSSO - Radius single sing-on


----------------------

Use AD account for Firewall access:

1. Create LDAP server










or:














#diag test autheserver ldap <server_name> <username> <password>


2. Create User Groups by retrieving AD groups from LDAP server










3. Create Admin Profile which defines permissions.















4. Create an Administrator account, associate with an Admin Profile and User Group.









--------------------------

Use AD account for Internet access:

1. Create a User group points to AD user group









2. Method 1: Edit firewall policy to include both IP and User Group in source


 







if there is another policy below allows NET-10.0.1.0/24 access Internet, there will be no authentication prompt. This behaviors can be changed by enforce authentication on demand (CLI only)

#config user setting
(setting) # set auth-on-demand Always.


3. Method 2: Enable Captive Portal on inside interface 








4.User access Internet get prompt 









Authentication timeout
default is 5 minutes
#config user setting
     set auth-timeout xx

Monitor Users
Dashboard > User & Devices > Firewall Users

diag firewall auth list (clear)

Captive Portal Excemption
1. # config user security-example-list
2. # config firewall policy
       edit <policy_id>
       set captive-portal-example enable.




Create User-based Security Policy:

1. Install FSSO agent on Active Directory Domain Controller:

2. Configured FSSO Agent on Firewall.

3. Create Fortigate FSSO type User Group

4. Create Security Policy, use FSSO group as Source.



Troubleshooting:

diag test authserver ldap <server-name> <username> <password>




Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more