Syslog
The FortiAuthenticator can parse username and IP address information from a syslog feed from a third party device, and inject this information into FSSO so it can be used in FortiGate and FortiCache identity based policies.
Syslog objects include sources and matching rules. Sources identify the entities sending the syslog messages, and matching rules extract the events from the syslog messages. Messages coming from non-configured sources will be dropped.
To configure syslog objects, go to Fortinet SSO Methods > SSO > Syslog.
Create New | Create a new syslog source or matching rule. |
Delete | Select to delete the selected object or objects. |
Edit | Select to edit the selected object. |
Syslog SSO Items | Select Syslog Sources or Matching Rules from the drop-down list. |
Name | The name of the source or rule. |
Client name/IP | The IP address or the client. |
Matching rules
A matching rule is a query, or policy, that is applied to a syslog message in order to determine required information, such as the username and IP address. Rules are required for every syslog source.
Predefined rules are available for Cisco and Aruba wireless controllers (see Predefined rules on page 119). For other systems, custom policies can be created to parse message files in various formats.
Syslog
To create a new matching rule:
- In the syslog list, select Matching Rules from the Syslog SSO Items drop-down menu.
- Select Create New. The Create New Matching Rule page ones.
- Enter the following information:
Name | Enter a name for the source. |
Description | Optionally, enter a description of the rule. |
Fields to Extract | Configure the fields that are to be extracted from the message. |
Trigger | Optionally, enter a string that must be present in all syslog messages. This will act as a pre-filter. |
Auth Type
Indicators |
Enter strings to differentiate between the types of user activities: Login, Update (optional), and Logout (optional). |
Username field | Define the semantics of the username field. For example: User-Name=
{{user}}, Where {{user}} indicates where the username is extracted from. |
Client IP field | Define the semantics of the client IP address. |
Group field | Optionally, define the semantics of the group. The group may not always be included in the syslog message, and may need to be retrieved from a remote LDAP server. |
Test Rule | Paste a sample log message into the text box, then select Test to test that the desired fields are correctly extracted. |
- Select OK to add the new matching rule.
Syslog sources
Each syslog source must be defined for traffic to be accepted by the syslog daemon. Each source must also be configured with a matching rule that can be either pre-defined or custom built.
Syslog
To add a new syslog source:
- In the syslog list, select Syslog Sources from the Syslog SSO Items drop-down menu.
- Select Create New. The Create New Syslog Source page ones.
- Enter the following information:
Name | Enter a name for the source. |
IP Address | Enter the IP address of the source. |
Matching Rule | Select the requisite matching rule from the drop-down list. A matching must already be created for the source. |
SSO User Type | Select the SSO user type:
l External: Users are not defined on the FortiAuthenticator and user groups come from the source. l Local users: Users are defined on the FortiAuthenticator as local users, and user groups are retrieved from the local groups. Any group from the syslog messages will be ignored. l Remote users: Users are defined on a remote LDAP server and user groups are retrieved from the LDAP server. Any group from the syslog messages will be ignored. |
- Select OK to add the source.
Predefined rules
Predefined matching rules are included for Cisco and Aruba wireless controllers.
Cisco ISE
Accounting Start Log
Trigger | CISE_RADIUS_Accounting |
Auth Type Indicators | Acct-Status-Type=Start (Login) |
Username field | User-Name={{user}}, |
Client IP field | Framed-IP-Address={{ip}}, |
Accounting Stop Log
Trigger | CISE_RADIUS_Accounting |
Auth Type Indicators | Acct-Status-Type=Stop (Logout) |
Username field | User-Name={{user}}, |
Client IP field | Framed-IP-Address={{ip}}, |
FortiGate group filtering
Aruba
Trigger | None; any logs are accepted. |
Auth Type Indicators | User Authentication Successful (Login) (exact match required; no delimiter or value) |
Username field | username={{user}}, |
Client IP field | Framed-IP-Address={{ip}}, |
Group field | profile={{group}}, |
FortiGate group filtering
If you are providing FSSO to only certain groups on a remote LDAP server, you can filter the polling information so that it includes only those groups, or organizational units (OU).
To view a list of the FortiGate group filters, go to Fortinet SSO Methods > SSO > FortiGate Filtering.
To create a new group filter:
- From the FortiGate group filters select Create New.
The Create New FortiGate Group Filter window opens.
- Enter the following information:
Name | Enter a name in the Name field to identify the filter. |
FortiGate name/IP | Enter the FortiGate unit’s FQDN or IP address. |
Description | Optionally, enter a description of the filter. |
IP filtering rules
Forward FSSO information for users from the following
subset of users/groups/containers/OUs only |
Select to forward FSSO information for users from only the specific subset of users, groups, or containers.
Select Create New under SSO Filtering Objects, enter a name to identify the policy, and select the object type: Group:Specifies the DN of a group. All users who are members of that group must be included in SSO. Group container:Specifies the DN of an LDAP container, e.g. OU. All users who are members of a group under that container or one of its subcontainers must be included in SSO. User:Specifies the DN of a user. This user must be included in SSO. User container:Specifies the DN of an LDAP container, e.g. OU. All users who are under that container or one of its sub-containers must be included in SSO. User and group container:Specifies the DN of an LDAP container, e.g. OU. It is the union of the user and the group containers. You can also use the Import option to import an existing object. |
Enable IP filtering for this service | Select to enable IP filtering for this service.
Choose the desired IP filtering rules from the Available IP filtering rules box and move them to the Selected IP filtering rules box. See IP filtering rules on page 121 for more information. |
- Select OK to create the new FortiGate group filter.
IP filtering rules
The user logon information that is sent to the FortiGate units can be restricted to specific IP addresses or address ranges. If no filters are defined, information is sent for all addresses.
To view the list of the IP filtering rules, go to Fortinet SSO Methods > SSO > IP Filtering Rules.
To create new IP filtering rules:
- From the IP filtering rules list, select Create New. The Create New IP Filtering Rule window opens.
- Enter the following information:
Name | Enter a name for the rule. |
Filter Type | Select whether the rule will specify an IP address and netmask or an IP address range. |
Rule | Enter either an IP address and netmask or an IP address range (depending on the selected filter type). For example: l IP/Mask: 10.0.0.1/255.255.255.0 l IP Range: 10.0.0.1/10.0.0.99 |
- Select OK to create the new IP filtering rule.
121
Tiered architecture
Tiered architecture
Tier nodes can be managed by going to Fortinet SSO Methods > SSO > Tiered Architecture.
The following options are available:
Create New | Select to create a new tier node. |
Delete | Select to delete the selected node or nodes. |
Edit | Select to edit the selected node. |
Search | Enter a search term in the search text box then select Search to search the tier node list. |
Name | The node name. |
Tier Role | The node’s tier role, either Collector or Supplier. |
Address | The IP address of the node. |
Port | The collector port number. Only applicable if TierRole is Collector. |
Serial Number | The serial number or numbers. |
Enabled | If the node is enabled, a green circle with a check mark will be shown. A node can be disabled without losing any of its settings. |
To add a new tier node:
- From the tier node list, select Create New. The Create New TierNode window opens.
- Enter the following information:
Name | Enter a name to identify the node. |
Serial number | Enter the device serial number. |
FortiClient SSO Mobility Agent
Alternate serial number | Optionally, enter a second, or alternate, serial number for an HA cluster member. |
Tier Role | Select the tier node role, either Supplier or Collector. |
Node IP address | Enter the IP address for the supplier or collector. |
Collector port | Enter the collector port number. Default is 8002. This only applies is Collector is selected as the TierRole. |
Disable | Disable the node without losing any of its settings. |
- Select OK to create the new tier node.