FSSO FortiGate Single Sign On

FSSO  KB ID 0001786

If you are applying polices with your FortiGate, e.g. Web Filtering or IPS, then the ability to track actual users rather than IP addresses is advantageous, it’s all very well blocking access to adult material or gambling sites, from the corporate network, but most companies want to know WHO is attempting to connect to what and when. 

To do that the firewall needs to learn what users are where, we can make all users actively authenticate to the firewall as they attempt to get on the web, but that does not make for a great user experience, it’s better to passively learn where your users are, and what machines they are using, then we can the use that in a policy. (let’s not get to far ahead for the moment).

Q. How do we learn where your users are, and what machines they are on?

A. FSSO

To enable FSSO you need to understand the difference between two pieces of software, the FSSO Collector, and FSSO DC Agent. The DC Agent (as the name implies) run on each of your DCs, it captures login events and then does DNS lookups to see what machines people are using. The Collector takes the output from one or more DC Agents and collates it for the firewall, it does not have to run on a domain controller (but it can).

I only have one server! Well thats OK, both the collector and agent can be on the same box

However most networks will have multiple Domain Controllers, so your FSSO topology may look a little more like this.

Or if you have an even larger network, you may want to build in a backup collector(s)

Deploy FSSO

In my small test environment I’m going to put the collector and agent on a single DC. Your first challenge is actually getting the FSSO software. Log into your FortiCloud portal and proceed as if you want to download some FortiGate firmware.

Then in the version of FortiGate firmware that matches your firewall you will find an FSSO directory, (unless your’e in the dark ages your domain controllers will be x64 bit) so in my case I want FSSO_Setup5.0.0306_x64.exe (that will download the collector setup, that also includes the DC Agent software as well, which you can also download separately if you wish).

Install Collector

Accept the EULA, change the install directory if you don’t want it on the C: Drive > Enter some administrative credentials > Next.

My FortiGate has LDAPS Lookups so I’m going for Advanced > Next.

Install > When complete, Im installing the DC Agent on the same server so MAKE SURELaunch DC Agent Install WizardIS ticked, and click finish.

Warning: Installing a DC Agent will result in the reboot of this DC, (you might want to do the next step out of hours).

Install DC Agent

Accept the defaults > Next > Select the Domain > Next > Select any user(s) you want to be exempt > Next.

Select DC Agent Mode > Next > It will prompt for a reboot, let it do so.

Post reboot launch FortiGate Single Sign On Agent Configuration > And change the password to something memorable, (you will need to enter this onto the FortiGate in a minute).

Register FSSO on FortiGate

Back on the Fortigate > Security Fabric EXTERNAL Connectors > FSSO Agent on Windows AD.

Give it a sensible name > Enter the IP address and the password you set above > Apply and Refresh > OK.

You will know it’s working because it will give you a free up arrow (it can take a little while, be patient).

Create FSSO Groups

Now you can add GROUPs based on FSSO learned groups, like so.

Once you have the FSSO groups defined, you can use them in policies. Below I’ve added Domain Users to my default outbound policy.

WARNING: If you have any devices, or assets that need access out you will need to add a new rule to alow them out explicitly before this rule, or their internet access will suddenly stop.

 

Monitor FSSO Events

To make sure the system is working you can go to Events > User Events > Make sure your user logon activity is getting logged.

Related Articles, References, Credits, or External Links

FSSO Handbook

Enabling NetFlow on Cisco ASA

KB ID 0000055

Problem

Cisco NetFlow lets you export information about traffic flow, it was originally written for the router IOS, but is now available for Cisco ASA, which uses NSEL (Note ASA uses NetFlow version 9 {newest at time of writing})

Note: NetFlow can not give you “Live” data, but it can show you what has happened over a period of time, and remember like any other “Logging” this will have an adverse affect on the firewall (depending on how busy it is).

Setting this up is a two step process, the firewall is configured as the NetFlow “Exporter”, then you install an application that accepts and collates that information, that is the NetFlow “Collector”.

Solution

1. Log into your firewall via CLI and enter enable mode, then enter configure terminal mode.

[box]

User Access Verification
Password:********
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# conf t
PetesASA(config)#

[/box]

1. We haven’t set one up yet, but we need to let the firewall know the IP address that the NetFlow “Collector” will be running on, in this case I’m going to use 10.254.254.253. (Note: the port number on the end is unimportant).

[box]

PetesASA(config)#
PetesASA(config)# flow-export destination inside 10.254.254.234 2055
PetesASA(config)#

[/box]

2. The next command aggregates multiple events into separate NSELs on a 15 second interval.

[box]

PetesASA(config)#
PetesASA(config)# flow-export delay flow-create 15
PetesASA(config)#

[/box]

3. Now we are going to set the refresh rate at which the templates are sent, if you do not do this it will default to 30 minutes.

[box]

PetesASA(config)#
PetesASA(config)# flow-export template timeout-rate 1
PetesASA(config)#

[/box]

4. I’m going to apply this with the default global-policy, because most of you will have one, (Though I notice every 8.2(1) 5505 I’ve put in recently does NOT have one so check).

[box]

PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class class-default
PetesASA(config-pmap-c)# flow-export event-type all destination 10.254.254.234
PetesASA(config-pmap-c)# exit

[/box]

6. If you haven’t got a global policy, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so….

Note: If it does not error then it was NOT applied 🙂

[box]

PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

[/box]

7. Don’t forget the save the config with a “write mem” command.

8. Now go to the machine you want to install your NetFlow collector software on, I prefer Plixer Scrutinizer because its free and its easy to set up. Connect to it via the built in web site (username admin password admin) > Click Status > Expand Ungrouped > Expand the firewall > Flow templates > Pick one.

9. There’s your throughput 🙂

Related Articles, References, Credits, or External Links

NA