Hot!FSSO - AD polling vs SSO Agent

Author
emtee
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/12 22:36:50
  • Status: offline
2019/06/12 22:57:19 (permalink)
0

FSSO - AD polling vs SSO Agent

Hi,
 
Setting up my first fortigate 101e v6.0. I have everything setup and working, firewall rules, static routes, SD-WAN. But cannot get the AD polling to work.
 
Does anyone actually use AD polling or is using the fortinet SSO agent the more used standard? What is the benefit of using the sso agent? We have a relatively small environment. 2 DC's 250 users.
 
Under security fabric > fabric connecotrs > poll ad server option i have configured this to connect to my AD - no issues. I've added the users/groups. Added them to my IPv4 Policies - but the policies never match.
 
Under Firewall User Monitor - i can see users logging on.
 
The rule is incredible basic. If user a member of facebook_allow group then allow facebook.
 
 
#1

3 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 437
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FSSO - AD polling vs SSO Agent 2019/06/12 23:20:58 (permalink)
    0
    Hi,
    your traffic is probably hitting some non-identity based policy and so flowing unauthenticated or even not matching your policy completely. Keep in mind that since 5.1 IP based policies has precedence over those Identity based.
    Use basic tools like session list and flow debug to find out.
    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038
     

    Kind Regards,
    Tomas
    #2
    emtee
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 22:36:50
    • Status: offline
    Re: FSSO - AD polling vs SSO Agent 2019/06/12 23:50:53 (permalink)
    0
    Thanks I'll take a look at this.

    It is matching the rule below this which is to block Facebook. However this is just set for the entire subnet and is not user/group specific.
    #3
    xsilver_FTNT
    Expert Member
    • Total Posts : 437
    • Scores: 93
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FSSO - AD polling vs SSO Agent 2019/06/13 05:28:49 (permalink)
    0
    it should not be needed to explicitly block facebook .. keep in mind that FortiGate is 'implicit deny' typo of firewall.
    And so all the policies are positive exemptions to this deny everything rule.
    Having identity based policy to allow facebook to some authenticated users and letting  every one else fall to implicit deny should be enough.
     
    As I wrote before, IP based policies are searched first, so if you have one policy to deny facebook, all the users will hit that first, and there will be no attempt to hit identity based policy.
    post edited by xsilver_FTNT - 2019/06/13 05:30:35

    Kind Regards,
    Tomas
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5