FortiGate I

Firewall Authentication

FortiGate 5.2.1 Last Modified: December 5, 2023 1

Objectives

• Explain firewall authentication

• Describe the different methods of authentication available on
FortiGate devices
• Identify which authentication protocols are used with each method of
authentication
• Configure Two-Factor Authentication (OTP and Tokens)
• Describe authentication types (active and passive)
• Create authentication policies
• Configure Captive Portal and disclaimers
• Configure authentication timeout
• Describe and configure users/user groups:
o LDAP, RADIUS
o FortiGate
• Monitor firewall users

2
Authentication

• Confirms identity of a user or deviceA

?
A
• Once the FortiGate identifies the AA
user/device, FortiGate applies theA
right firewall policies and profiles to
allow / deny access to each network
resource

3
Methods of Authentication

You can use the following methods of authentication for firewall

authentication:

• Local password authentication

• Remote password authentication
• Two-factor authentication
o Enabled on top of an existing method
o Requires something you know and something you have

4
Local Password Authentication

• Local password authentication is based on user accounts

stored locally on FortiGate
o For each account, a user name and password (credentials) is stored

User name Fortigate

2
and
password

5
Remote Server Authentication

• Accounts are stored in an external authentication server

• Administrators can:
o Create an account for the user locally and specify the server to verify the
password or
o Add the authentication server to a user group
• All users in that server become members of the group

1
OK
4

Username Username
FortiGate 3 and Remote Server
2 and
password password

6
Remote Server Authentication – Protocols

Single Sign On

Directory RADIUS
POP3 RADIUS LDAP TACACS+ Services RSSO
FSSO, NTLM

7
Remote Server Authentication - Single Sign On (SSO)

• Users who authenticate to a domain can leverage an existing

authentication event for firewall authentication
• Users enter their credentials only once and get access to
multiple network resources without receiving additional login
prompts
• With a FortiGate, you can implement SSO using one of the
following two methods:
o FSSO: Fortinet proprietary communication framework for collecting and
forwarding user login events to FortiGate devices
o RSSO: Communication framework for sending Radius Accounting packets
to the FortiGate device containing login and logoff events

8
Remote Server Authentication – POP3

• Most authentication protocols employ a user name and

password combination
o RADIUS, FSSO, etc.
• For example:
User: jsmith
Password: <password>
• POP3 servers authenticate users based on email address
User: jsmith@<domain>.com (or just jsmith)
Password: <password>

9
Two-Factor Authentication (2FA)

• 2FA is strong authentication that improves security by

preventing attacks associated with the use of static passwords
alone
• 2FA requires two independent ways of identifying a user:
o Something you know, such as password or PIN
o Something you have, such as a token or PKI certificate
• One-Time Passwords (OTP) algorithms can be either
time-based or event-based:
o Fortinet OTPs are time-based, so it is important to use the FortiGate
system clock for accuracy
• Token-based codes are one-time use only. So, even if it is
intercepted, it is already useless

10
Two-Factor Authentication - One-Time Password

• FortiToken / FortiToken Mobile:

o Every 60 seconds, the token generates a 6-digit code based on a unique
seed and GMT time.
• Hardware FortiToken
• FortiToken Mobile: available for iOS and Android

• Alternate methods of delivery

o Email: The one-time password is sent to user’s configured email address.
o SMS: The one-time password sent through email to the user’s SMS
provider. The email address pattern varies by provider.

11
Two-Factor Authentication - Tokens

OTP generator Static password + OTP Validation Server Time sync with accurate NTP
source

Same OTP value 3

1 4 Validate static password

Algorithm Algorithm

Time* + Seed Time + Seed

Same seed

Same time

12
Adding a FortiToken

13
Authentication Types

• Active
o User receives a login prompt and must manually enter credentials to
authenticate
o Used with LDAP, RADIUS, Local, and TACACS+
• Passive
o User does not receive a login prompt as credentials are determined
automatically
• Method varies depending on type of authentication used
o Used with FSSO, RSSO, and NTLM

14
Active Authentication Triggers

• Active user authentication is triggered through any of the

following supported protocols:
o HTTP
o HTTPS
o FTP
o Telnet

• Authentication protocols must be allowed by the policy with

authentication enabled

• All other services are not allowed until the user has first
authenticated successfully through one of the protocols above

15
Authentication Types: Order of Operations

• When both active and passive authentication are enabled, the

first method that can determine a user name is used
• If the user’s information cannot first be determined through
passive means, active methods are employed.

16
Firewall Policy: Source

• Firewall policies can include

user and/or group data, as
part of the source
• Successful authentication for
a policy is anyone that
matches one of the
configured groups or users
within that policy

? Policy Source

17
Firewall Policy: DNS

• DNS traffic is allowed through an authentication policy even if

the user has not authenticated yet.
o Hostname resolution is often required to see the HTTP/HTTPS/FTP/Telnet
traffic with which a user can actually authenticate
o DNS service must be explicitly listed as a service in the policy

18
Mixing Policies

• Enabling authentication on a single policy does not always

force an active authentication prompt

• 2 options:
o Enable authentication on every policy that could match the traffic
o Enable a captive portal on the ingress interface for the traffic

19
Captive Portal

• Enabling a captive portal on an interface forces the

authentication page to appear whenever it receives
unauthenticated traffic

Local Network

Port 1 Port 2

Enable captive
portal here

20
Example: Captive Portal

• Only active authentication methods can use captive portal

21
 Captive Portal Exceptions

• If captive portal is enabled, but you don’t want it applied for

specific devices…
o Printers, fax machines, game consoles may not be able to use active
authentication, but still need to be allowed by the firewall policy

#config firewall policy

#edit <policy_id>
#set captive-portal-exempt enable
#end
#config user security-exempt-list
#edit <list_name>
#config rule
#edit <rule_id>
#set srcaddr <address_object>
#next
#end

22
 Disclaimers
• Displays the Terms and
Policy
Disclaimer Agreement
page before the user
authenticates
o User must accept the
#config firewall policy
disclaimer to proceed with #edit <policy_id>
the authentication process #set disclaimer enable
o the user is directed to the #end
original destination (or
authentication login)

23
Modifying Disclaimers

• Not all disclaimers are/need to be the same

o Text can be altered
o Images can be added (to HTML messages)

24
 Authentication Timeout

#config user setting

#set auth-timeout-type [idle-timeout|hard-timeout|new-session]
#end

• Timeout specifies how long a user

can remain idle before the user
must authenticate again
• Default is 5 minutes
• 3 options for behavior:
• Idle (default) – there must be no traffic
for that amount of time
• Hard – absolute value. Authentication
expires after that amount of time
• New session – If no new session is
created

25
Users and User Groups

• Adding users to an external server

o LDAP
o RADIUS
• Creating users and user groups for firewall authentication on
FortiGate

26
LDAP Overview

• Lightweight Directory Access Protocol (LDAP) is an application

protocol for accessing and maintaining distributed directory
information services
• Structure similar to a tree
o Contains entries (objects) in each branch:
• Each entry has a unique ID, the Distinguished Name (DN)
• Each entry also has attributes
• Each attribute has a name and one or more values
• Attributes are defined in a directory schema

27
LDAP Hierarchy

• LDAP tree usually tends to match the hierarchy of the

customer’s organization
• root represents the organization itself, as it is defined as
Domain Components (dc), such as:
o dc=example, dc=com
• Additional levels can include:
o c (country)
o ou (organizational unit)
o o (organization)
• User accounts or groups usually have element names such as
‘uid’ (user ID) or ‘cn’ (common name)

28
LDAP Directory Tree example

dc=example,dc=com

c=usa c=france c=canada

ou= hr ou= it

uid= abush
uid= apiquet uid: jsmith
email:
jsmith@example.com
objectClass:
inetOrgPerson

DN: uid= jsmith, ou=it, c=france, dc=example, dc=com

29
LDAP Query Configuration

Name of attribute
that identifies
each user

Parent branch
where all users
are located

Credentials for an
LDAP
administrator

30
Testing the LDAP Query

• From the CLI:

#diagnose test authserver ldap <server_name> <user>
<password>

• Output sample

# diagnose test authserver ldap Lab jsmith fortinet

authenticate 'jsmith' against 'Lab' succeeded!

Group membership(s) -
CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com
CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

31
RADIUS Overview

• Standard protocol that provides Authentication, Authorization

and Accounting (AAA) services

Access-Request

Access-Accept
or
Access-Reject
User FortiGate or RADIUS server
Access-Challenge

32
RADIUS Configuration

• A Fortinet Vendor-Specific Attributes (VSA) dictionary is

provided to identify the Fortinet-proprietary RADIUS attributes
IP address or
FQDN of the
RADIUS server

The “Secret” must

match the server’s
key

33
Testing RADIUS Queries

• From the FortiGate CLI:

#diagnose test authserver radius <server_name>
<scheme> <user> <password>

• Supported schemes are:

o chap
o pap
o mschap
o mschap2

34
Users

35
Types of User Groups

Active RADIUS
Paris Visitors Directory Server

Firewall Guest User FSSO RSSO

User

• User groups are assigned one of four group types: Firewall, Fortinet Single
Sign On (FSSO), Guest, and RADIUS Single Sign On (RSSO)
• Firewall user groups provide access to firewall policies that require
authentication
• FSSO and RSSO are used for Single Sign On Authentication

36
Guest User Groups

• Most commonly used in wireless networks for guests

• Guest groups contain temporary accounts

37
Configuring User Groups

Select the local

users that belong
to the group

Select the remote

authentication
servers that
contain users that
belong to the
group

38
Configuring Policies with Users

• In a firewall policy, the definition of the traffic’s source can

include both user account and IP address

39
Monitoring Users

• Displays logged in users, groups, duration,

source IP address, amount of traffic sent,
and the authentication method
• Also used to terminate authenticated
sessions

40
Monitoring Users via Event Logs

• Successful authentication does not generate a log event

o Log & Report > Event Log > User is primarily for behavior between the
FortiGate and remote servers (RADIUS, LDAP, etc.)
o User details are integrated into most logs while the user is authenticated

41
Review

 Authentication
 Three methods of authentication
 Authentication protocols
 Two-factor authentication (OTP and tokens)
 Authentication types (active and passive)
 Authentication policies
 Captive portals and disclaimers
 Authentication timeout
 Users/user groups
• LDAP, RADIUS
• FortiGate
 Monitoring firewall users

42