Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.13 Administration Guide
    6.4.13
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    FSSO dynamic address subtype

    FSSO dynamic address subtype

    The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.

    It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC.

    To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
    1. Create the dynamic address object:
      1. Go to Policy & Objects > Addresses, and click Create New > Address.
      2. For Type, select Dynamic.
      3. For Sub Type, select Fortinet Single Sign-On (FSSO). The Select Entries pane opens and displays all available FSSO groups.
      4. Select one or more groups.
      5. Click OK to save the configuration.

        In the address table, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

    2. Add the dynamic address object to a firewall policy:
      1. Go to Policy & Objects > Firewall Policy.
      2. Create a new policy or edit an existing policy.
      3. For Source, add the dynamic FSSO address object you just created.
      4. Configure the rest of the policy as needed.
      5. Click OK to save your changes.

    3. Test the authentication to add a source IP address to the FSSO user list:
      1. Log in as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
      2. Go to Monitor > Firewall User Monitor to view the user name (fsso1) and IP address.

      3. Go to Policy & Objects > Addresses to view the updated address table. The error message no longer appears.
      4. Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).

    To verify user traffic in the GUI:
    1. Go to Log & Report > Forward Traffic.

      Details for the user fsso1 are visible in the traffic log:

    • If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated. The IP address for user fsso2 (10.1.100.188) is now visible:

  • Go to FortiView > Sources to verify that the users were able to successfully pass the firewall policy.

    • Note

    If a user logs off and CPPM receives log off confirmation, then CPPS updates the FortiGate FSSO user list via FortiManager. The user IP address is deleted from the dynamic FSSO address, and the user is no longer be able to pass the firewall policy.
    To configure FSSO dynamic addresses with CPPM and FortiManager in the CLI:
    1. Create the dynamic address object:
      config firewall address
    edit "fsso"
        set type dynamic
        set sub-type fsso
        set fsso-group "cp_test_FSSOROLE"
    next
end
    2. Add the dynamic address object to a policy:
      config firewall policy
    edit 1
        set name "pol1"
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "fsso"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end
    To verify user traffic in the CLI:
    1. Check the FSSO user list:
      diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.100.185  User: fsso1  Groups: cp_test_FSSOROLE  Workstation:  MemberOf: FSSO-CPPM cp_test_FSSOROLE
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
    2. Check the authenticated firewall users list:
      diagnose firewall auth list
10.1.100.185, fsso1
type: fsso, id: 0, duration: 2928, idled: 2928
server: FortiManager
packets: in 0 out 0, bytes: in 0 out 0
group_id: 2 33554433
group_name: FSSO-CPPM cp_test_FSSOROLE
----- 1 listed, 0 filtered ------

      After user traffic passes through the firewall, the nu

      diagnose firewall auth list
10.1.100.185, fsso1
type: fsso, id: 0, duration: 3802, idled: 143
server: FortiManager
packets: in 1629 out 1817, bytes: in 2203319 out 133312
group_id: 2 33554433
group_name: FSSO-CPPM cp_test_FSSOROLE
----- 1 listed, 0 filtered ------
    Previous
    Next

    More Links

    ClearPass endpoint connector via FortiManager
    ClearPass integration for dynamic address objects

    FSSO dynamic address subtype

    FSSO dynamic address subtype

    The Fortinet Single Sign-ON (FSSO) dynamic firewall address subtype can be used in policies that support dynamic address types. The FortiGate will update the dynamic address used in firewall policies based on the source IP information for the authenticated FSSO users.

    It can also be used with FSSO group information that is forwarded by ClearPass Policy Manager (CPPM) via FortiManager, and other FSSO groups provided by the FSSO collector agent or FortiNAC.

    To configure FSSO dynamic addresses with CPPM and FortiManager in the GUI:
    1. Create the dynamic address object:
      1. Go to Policy & Objects > Addresses, and click Create New > Address.
      2. For Type, select Dynamic.
      3. For Sub Type, select Fortinet Single Sign-On (FSSO). The Select Entries pane opens and displays all available FSSO groups.
      4. Select one or more groups.
      5. Click OK to save the configuration.

        In the address table, there will be an error message for the address you just created (Unresolved dynamic address: fsso). This is expected because there are currently no authenticated FSSO users (based on source IP) in the local FSSO user list.

    2. Add the dynamic address object to a firewall policy:
      1. Go to Policy & Objects > Firewall Policy.
      2. Create a new policy or edit an existing policy.
      3. For Source, add the dynamic FSSO address object you just created.
      4. Configure the rest of the policy as needed.
      5. Click OK to save your changes.

    3. Test the authentication to add a source IP address to the FSSO user list:
      1. Log in as user and use CPPM for user authentication to connect to an external web server. After successful authentication, CPPM forwards the user name, source IP address, and group membership to the FortiGate via FortiManager.
      2. Go to Monitor > Firewall User Monitor to view the user name (fsso1) and IP address.

      3. Go to Policy & Objects > Addresses to view the updated address table. The error message no longer appears.
      4. Hover over the dynamic FSSO address to view the IP address (fsso resolves to: 10.1.100.185).

    To verify user traffic in the GUI:
    1. Go to Log & Report > Forward Traffic.

      Details for the user fsso1 are visible in the traffic log:

    • If another user is authenticated by CPPM, then the dynamic address fsso entry in the address table will be updated. The IP address for user fsso2 (10.1.100.188) is now visible:

  • Go to FortiView > Sources to verify that the users were able to successfully pass the firewall policy.

    • Note

    If a user logs off and CPPM receives log off confirmation, then CPPS updates the FortiGate FSSO user list via FortiManager. The user IP address is deleted from the dynamic FSSO address, and the user is no longer be able to pass the firewall policy.
    To configure FSSO dynamic addresses with CPPM and FortiManager in the CLI:
    1. Create the dynamic address object:
      config firewall address
    edit "fsso"
        set type dynamic
        set sub-type fsso
        set fsso-group "cp_test_FSSOROLE"
    next
end
    2. Add the dynamic address object to a policy:
      config firewall policy
    edit 1
        set name "pol1"
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "fsso"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end
    To verify user traffic in the CLI:
    1. Check the FSSO user list:
      diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.100.185  User: fsso1  Groups: cp_test_FSSOROLE  Workstation:  MemberOf: FSSO-CPPM cp_test_FSSOROLE
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
    2. Check the authenticated firewall users list:
      diagnose firewall auth list
10.1.100.185, fsso1
type: fsso, id: 0, duration: 2928, idled: 2928
server: FortiManager
packets: in 0 out 0, bytes: in 0 out 0
group_id: 2 33554433
group_name: FSSO-CPPM cp_test_FSSOROLE
----- 1 listed, 0 filtered ------

      After user traffic passes through the firewall, the nu

      diagnose firewall auth list
10.1.100.185, fsso1
type: fsso, id: 0, duration: 3802, idled: 143
server: FortiManager
packets: in 1629 out 1817, bytes: in 2203319 out 133312
group_id: 2 33554433
group_name: FSSO-CPPM cp_test_FSSOROLE
----- 1 listed, 0 filtered ------
    Previous
    Next