How to Integrate Fortigate firewall with Active Directory & LDAP services (SSO)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
corrugate integration with LDAP services single sign-on in this video we will learn how to leverage LDAP services to provide single sign-on functionality on the FortiGate firewall and have a seamless experience for our authenticated user and this will allow us to use our Active Directory users and groups who give access to different resources instead of using local users on the FortiGate unit or having to authenticate again to the firewall and we can give them access to resources based on their Active Directory groups let's see how we can configure it on our 48 unit first we need to configure our Dena's to forward traffic distinct for our local active directory domain names to our Windows Server right now if we try to bring our Active Directory domain we won't be able to resolve the local domain name right now so we can just go to our DNS settings by going to config System DNS we just have our Public DNS resolvers we just want to add one more statement for our domain and we just want to call this last the course dot local and next we need to configure our DNS database so out with forward the queries destined for this domain name and send it to our Windows Server we can go under config system DNS database and we need to create a new entry just give it a number and here we need to define a few options first we need to define our domain again then we need to disable the authorative and finally we need to set this to forward to our wonder server which is 192 168 that 1.1 16 and we hit next and end we try again we are able to reach our local domain names and finally we need to go under config system DNS server so we can create an entry for our land interface and we're just going to edit lamp whoo here we need to specify which interface and if we do a show right now there is nothing just need to set the mode to recursive and hit end and now we have our DNS server configured now if we go back to our Windows client we are still using the public DNS servers who our go right now to change our DTP server to give the system interface IP for the LAN interface as the Dena server for this client so that when they try to resolve the local names they get filtered by the DNS database and get forwarded to our local domain go back to our firewall we just need to go under config system dhcp server and our DHCP server on the LAN interface right now is using DNS service default so it uses the same Public DNS services configured on the FortiGate itself we need to edit this entry and we can choose our dinner service if we hit a question mark the IP address of the interface of the DHCP server is our LAN interface so if we change the DNS service to local the firewall will give its interface IP for the land which is 192 168 that 1.99 as DNS server for the client so that when the traffic or Dinah's comes to the FortiGate the photogate will fork it out if it's belong to the public it will send it to the public DNS and if it goes to the private it will be forwarded to our Windows server where we have our local private domain names we want to change this to local and hit end and now from our client we just need to refresh our list so we can get the updated information if we do the command ipconfig slash release and then IB config slash renew we should be getting a new DHCP release from the FortiGate with the new settings and we can see here that the DNS server had changed to 192 and sixty eight dot one dot 99 if I try to bring my Active Directory domain from here I am able to reach it using the DNS database filter ended in a server that we are running on the LAN interface now I'm able to join my pcs to the domain controller directly and from our window server we'll need to create an account for the FortiGate so the FortiGate can login to our server and read the security events so with allow the firewall to know which users are logged in to our environment which IP addresses they are coming from and the FortiGate will map these users name to IP addresses in the fabric we can create firewall policies and allow different levels of access based on Active Directory groups and users instead of using plain IP addresses that are subject to change in a DHCP environment and finally for the FortiGate user we'll need to make sure that this user is a member of administrators group who will have access to get to the logs once we add two administrators now we have everything we need to configure the 48 unit to communicate to this server so now let's head into our cloud firewall and first we need to define our LDAP server so under user and device there is a section for LDAP servers where we can add new servers in here we can define the name we can just call this our domain name or could be any name or the IP address this will be 192 168 dot one dot 116 which is the windows server IP address this will use LDAP normal port now we need to change this to regular and we need to both our username and password that we created for the FortiGate test our connectivity and we have successful connectivity we will just now need to browse to our LDAP and in here we can see all the different groups we have in our LDAP so in here we can choose either the root of the directory or we can choose just the users directory we can leave it to root for now so now we have a basic LDAP entry for our LDAP server running on premises from our cloud firewall this is going through the VPN tunnel now in order for us to connect to the Active Directory and wall the logged in users we need to create a fabric connector public connector is a feature that allows the firewall to connect to different services and provide a seamless integration in between under security fabric we check our fabric connectors we have nothing right now let's try create a new entry and we have different services we can integrate with so in this case we just wanna pull Active Directory server so let's enter our server API game and the username for the FortiGate and we will choose our LDAP server an enable polling will allow the FortiGate to communicate with this Active Directory server and read which users are logged in and map it to an IP address so we can use these users dynamically regardless of their IP address and for users and groups we need to define which users are we tracking with this connector so it defaults to zero we need to either choose individual users or we can also go under groups choose our design department and choose our marketing department mark these two and add selected and hit OK and now we have our users and groups connected once we refresh the page now our fabric connector is up the way we can verify this is actually doing something we can go under monitor and we go under firewall user monitor 14-8 single sign-on logins but now let's write to login into one of our devices to verify if the firewall can read that this user is logged in from our design BC username Adam is trying to login to his device we're gonna put our password for this specific one distinct client and if we come back here and refresh now we see a login from a user named Adam coming from this local IP address and this is using the 14:8 single sign-on using the Active Directory fabric connector if we go back to check the locks for this IP address and we go down we will see that the IP address was just showing normally before we add the fabric connector and once we add the fabric connector it start mapping the user name atom to this IP address who even if we didn't know that Adam is using this IP address we can filter policies based on their login name as well now if we do the same from the marketing BC and refresh our logins now we see Julie as well has been logged in and her username has been added we can also do the same from the CLI by going into diagnose debug coordinates single sign-on bullying detail and this will show us the connection to the Active Directory using our 48 credential and if we try diagnose the bug for the net single sign-on user will show us all the IP addresses which usernames tea blown - and the groups did belong to and finally the time de signed then into the device now we just need to create some sort of mapping between our Active Directory groups and the firewall groups so we can start using these bar will groups an object like firewall policies and we can control users this way so under user groups we need to create our first single sign-on group based on Active Directory group and in here we need to define two different groups we need a group for our marketing department and we need a group for our design department this active directive group already exists in our environment we have our marketing team group already configured an active directory and we also have our design team let's start with our marketing team and for the type we need to choose our foreign aid single sign-on and for the member we will see the two entries that we created in the fabric connector so first we can choose our marketing team and we hit okay and we can do the same thing for our design team now if we try again to login into our test machines we should be able to read these group names in our monitor in here we can start seeing that Adam and Julie has been logged in but now they are actually shown which user group they belong to and this shows the name directly from the Active Directory and this one is the user group object that we created manually on the firewall so now we can use these objects to create firewall policies and restrict traffic based on these Active Directory groups but under posting object let's start by creating a new policy specifically for the traffic coming from our VPN connection going through the internet through this AWS cloud firewall and for the source IP address we will use all IP addresses and we will use the restriction only by the user you can either choose individual users from LDAP or you can choose a whole group so for example I want to restrict our design team from accessing all internet websites and allow all other marketing teams and other teams to have normal access to the Internet so I can choose all design team members and we choose all the IP addresses on the internet and for this all services will be block or I can only choose HTTP HTTPS and we will deny this access and log all violation traffic now I have my first ad user group based policy but right now it's not in the correct order because they allow all policy coming from vbn to board one on these two IP addresses is accepted you need to make sure we put the policy in the correct sequence by moving it above the allow all policy in this way of traffic coming from the VPN hitting the board one which is the internet board will be evaluated against this deny policy first before getting evaluated against there allow all policy a now it's time to test the connection from our design team PC let's head to our VMware to test this connection and from our design BC if we try to access any service on the internet that was previously working we should not be able to access anything everything will be timing out on this design BC but if we try the same from our marketing BC we should have no problem accessing the Internet and if we open the FortiGate to check our policy our denied policy right now has over 500 hits on it from all the web requests that is getting blocked by the firewall based on our ad user group so this is only for HTTP HTTP traffic so from our design PC that is Gannon blog to the internet right now if we try to Bing something on the internet for example if we try to bring Google IP we are still able to reach the Internet through this firewall because we are only blocking HTTP HTTP traffic and that was for the user Adam we can also go into our logs and under forward traffic now we can see all the traffic in the logs is also associated with a username on our Active Directory system we can see that Adam from design team was able to bring 8.8.8.8 but also he was getting denied access to the internet because of our HTTP HTTPS policy number five Julie was able to access the same because she has the allow all policy based on her Active Directory group that's how you can restrict and allow access on a photogate using Active Directory and LDAP or single sign-on thank you for watching
Info
Channel: ElastiCourse
Views: 30,208
Rating: undefined out of 5
Keywords: fortigate, ldap, sso, active directory, aaa, fabric connector, windows server
Id: _Q-avgGIiFw
Channel Id: undefined
Length: 14min 57sec (897 seconds)
Published: Sat Mar 14 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.