Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daac
New Contributor

Question Fsso configuration

Hello I hope you can clarify some doubts that unfortunately I have not been able to clear with the documentation, so there are two methods of  Dc agent  and polling mode (agent based or agentless) For the agentless case there is no doubt that the polling is done by the fortigate (server installation is not required, ldap is configured and then in sso Poll Active Directory Serve) for agent mode, a collector and agent deployment is required (ldap is configured in sso Fortinet Single-Sign-On Agen) or is it not necessary to configure the ldap? the doubt is born after seeing this video [link]https://www.youtube.com/watch?v=BfMyWBAosK0[/link] When referring to the polling mode agent based refer to the installation of the collector? , or which way does it refer to the possibility of only installing a collector on a server so that it polls the dc and from there passes the information to the fortinet? , in that case that only install a collector that configuration I must apply on fortinet ldap + sso Fortinet Single-Sign-On Agen or Poll Active Directory Server. Thank you

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Well,

 

there is agent based and agent-less FSSO.

Agent-less usually reffer to direct polling Windows Security EventLog from FortiGate.

Agent based usually reffer to at least Collector Agent installation onto DC or domain member server.

 

That Collector Agent then can run in multiple modes, basically in one of 3 polling modes (NetAPI, WinSec, WinSec+WMI), or in agent mode where additional DCAgents or TSAgents are installed on DCs or Terminal Servers (TSAgents).

 

To the LDAP necessity for agent based FSSO through Collector Agent.

As you can see from 1:14 till 1:25 there was no LDAP set on FortiGate.

And in general it is not necessary to have it. However it might be useful, because when you choose LDAP server pointing to some DC inside monitored domain, for example to teh same DC where your FSSO Agent config in FortiGate points to and where you set up Collector Agent. Then via this LDAP you can choose which groups will be part of so called Group Filter. Then you can find that per-*FortiGate's SN Group Filter set on your collector. Which mean that FortiGate and FSSO will be notified just about the users belonging to selected groups and not all the groups. This will simplify config.

However the Group Filter can also be set from Collector Agent, and this way the filter will be pushed to FortiGate and have the same effect. Bonus is that you can set Default type of Group Filter which will be applied to all connected FortiGates. So if you have many and would like to have identical FSSO setup on all your border firewalls, this is the way to go. Just press Apply&Refresh to get filter from Collector to FortiGate.

 

I would strongly recommend to use Group Filters.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

daac

xsilver wrote:

Well,

 

there is agent based and agent-less FSSO.

Agent-less usually reffer to direct polling Windows Security EventLog from FortiGate.

Agent based usually reffer to at least Collector Agent installation onto DC or domain member server.

 

That Collector Agent then can run in multiple modes, basically in one of 3 polling modes (NetAPI, WinSec, WinSec+WMI), or in agent mode where additional DCAgents or TSAgents are installed on DCs or Terminal Servers (TSAgents).

mmend to use Group Filters.

 

Best regards,

Tomas

Thanks for the clarification, in conclusion the configuration of the ldap basically gives you more granularity and allows filtering groups, users. Thank you

 

xsilver_FTNT

"in conclusion the configuration of the ldap basically gives you more granularity and allows filtering groups, users."

 

Yes, LDAP included in FSSO config on FGT gives you ability to define Group Filter on FGT side, and push that filter from FGT to Collector Agent.

As result FGT will be notified only about users from chosen/desired/useful groups.

 

Opposite approach is to define Group Filter on Collector and let collector to push filter to FGT.

This approach is better for situations where you'd like to have same group filter on multiple FGTs or one place defining filters for all connected FGT units (as you can define per-FGT-SN filter from Collector as well as global (Default type) filters). Default and per-SN filters are exclusive, where per-SN filters has priority and overrides the default filter.

 

In any way, usage of the Group Filter is IMHO one of the best practices in FSSO.

It lesser the load and config size by stripping off any unnecessary group and user info which is not gonna be used in firewall policies anyway.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors