Fortigate Directory Services Authentication

The Fortinet Firewall is capable of integrating with the Microsoft Active directory.

It can use the following Methods:

I. Fortigate FSAE/FSSO

This feature provides a transparent authentication for the users.

In the older version you can fin it named as FortinetFSAE, but in the new versions it appears are Fortinet FSSO.

The Fortigate FSAE/FSSO is composed of the following 2 softwares:

1. Domain Controller Agent

This software monitors the user login. This software is deployed on the Domain Controllers of the users domain. You can find it in C:\Windows\System32\dcagent.dll

2. Collector Agent

This is the ‘master’of the application. This software sends the info gather from the Domain Controller Agent to the Fortigate Firewall.
It performs the following tasks:
a. Looksup the group in the domain/user information
Uses DNS lookup then if that is not present it check the users local cache then the WINS server, user Hosts file etc.
To monitor when a users logg off, the FSAE/FSSO needs read only access on TCP port 139 or 445 on the clients registry.

b. Resolves the Workstation name to an IP address
This detects when a users logs off of one PC. It controls if the users is logged on every 5 minutes.
It uses the Dead Entry Removal for workstations that cannot be looked up. It is controlled by the “dead entry timeout””, with a default of 8 hours. So if a PC cannot be be checked if an user logged of it uses this default, to log it off automatically.

c. Sends the IP address/group to the Fortigate

II. Fortigate NTLM-based Authentication

This method basically removes the need to install FSAE collector agent on every DC. It prompts the user for credentials and then it checks with the Domain Controller if everything is working fine.


FSAE/FSSO General Hints

1. Must be configured on each Domain Controller that has a collector agent installed:
a. Windows Active Directory user groups
b. Collector agent settings, including the Domain Controller to be monitored
c. Collector agent ignore user list
d. Collector Agent Fortigate Group filter for each Fortigate unit

2. Configuring FSAE/FSSO on the Fortinet Firewall:
a. Specify a domain admin user(with the credentials that do not expire) to the Windows Active Directory Server
b. Specify the Active Directory Servers that contain the FSAE/FSSO collector agent
c. Add the Active Directory user groups to new or existing Fortigate user groups
d. Create Firewall policy for Active Directory server groups

3. IP Address Lookup
The Collector agent will perform IP address lookup to detect any IP address hanges of a workstation while the user is still logged into the domain.
The IP address change verify interval value has a default value of 60 seconds.

4.Configure Alternate User IP address Tracking

In environment where user IP address change frequently, FSAE can be modified to respond more quicklye by modifing the registry.

5. Workstation Lookup
This allows the Fortigate to detect a user logoff from a workstation.
Default – 5 minutes
Disabled – 8 Hours