FortiGate-7060E Chassis

FortiGate-7060E Chassis

The FortiGate-7060E is a 8U 19-inch rackmount 6-slot chassis with a 80Gbps fabric and 1Gbps base backplane designed by Fortinet. The fabric backplane provides network data communication and the base backplane provides management and synch communication among the chassis slots.

FortiGate-7060E front panel

The chassis is managed by two redundant management modules. Each module includes an Ethernet connection as well as two switchable console ports that provide console connections to the modules in the chassis slots. The active management module controls chassis cooling and power management and provides an interface for managing the modules installed in the chassis.

FortiGate-7060E front panel, (example module configuration)

 

Do not operate the FortiGate-7060E chassis with open slots on the front or back panel. For optimum cooling performance and safety, each chassis slot must contain an FIM or FPM module or an FIM or FPM blank panel (also called a dummy card). For the same reason, all cooling fan trays, power supplies or power supply slot covers must be installed while the chassis is operating.

Power is provided to the chassis using four hot swappable 3+1 redundant 100-240 VAC, 50-60 Hz power supply units (PSUs). You can also optionally add up to six PSUs to provide 3+3 redundancy. The FortiGate-7060E can also be equipped with DC PSUs allowing you to connect the chassis to -48V DC power

The standard configuration of the FortiGate-7060E includes two FIM (interface) modules in chassis slots 1 and 2 and up to four FPM (processing) modules in chassis slots 3 to 6.

FIM modules

FIM modules are hot swappable interface modules that provide data and management interfaces, base backplane switching and fabric backplane session-aware load balancing for the chassis. The FIM modules include an integrated switch fabric and DP2 processors to load balance millions of data sessions over the chassis fabric backplane to FPM processor modules. The following FIM modules are available:

  • The FIM-7901E includes thirty-two front panel 10GigE SFP+ fabric channel interfaces (A1 to A32). These interfaces are connected to 10Gbps networks. These interfaces can also be configured to operate as Gigabit Ethernet interfaces using SFP transceivers.
  • The FIM-7904E includes eight front panel 40GigE QSFP+ fabric channel interfaces (B1 to B8). These interfaces are connected to 40Gbps networks. Using 40GBASE-SR4 multimode QSFP+ transceivers, each QSFP+ interface can also be split into four 10GBASE-SR interfaces and connected to 10Gbps networks.
  • The FIM-7910E (shown in FortiGate-7060E front panel, (example module configuration) on page 5) includes four front panel 100GigE CFP2 fabric channel interfaces (C1 to C4). These interfaces can be connected to 100Gbps networks. Using 100GBASE-SR10 multimode CFP2 transceivers, each CFP2 interface can also be split into ten 10GBASE-SR interfaces and connected to 10Gbps networks.
  • The FIM-7920E includes four front panel 100GigE QSFP28 fabric channel interfaces (C1 to C4). These interfaces can be connected to 100Gbps networks. Using a 100GBASE-SR4 QSFP28 or 40GBASE-SR4 QSFP+ transceiver, each QSFP28 interface can also be split into four 10GBASE-SR interfaces and connected to 10Gbps networks.

If you are installing different FIM modules in the FortiGate-7060E chassis, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher number in slot 2. For example, if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM7904E in chassis slot 2. Also, for example, if your chassis includes a FIM-7904E and a FIM-7920E, install the FIM-7904E in chassis slot 1 and the FIM-7920E in chassis slot 2. This applies to any combination of two different interface modules.

FPM-7620E FPM modules

The FPM-7620E modules are hot swappable processor modules that provide FortiOS firewalling and security services. The FPM modules function as workers, processing sessions load balanced to them by the FIM modules.

FPM modules include multiple NP6 network processors and CP9 content processors to accelerate traffic.

back panel

FortiGate-7060E back panel

The FortiGate-7060E back panel provides access to three hot swappable cooling fan trays and the chassis ground connector that must be connected to ground.

FortiGate-7060E back panel

Registering your FortiGate-7060E chassis

FortiGate-7000 series products are registered according to the chassis serial number. You need to register your chassis to receive Fortinet customer services such as product updates and customer support. You must also register your product for FortiGuard services. Register your product by visiting https://support.fortinet.com. To 7

FortiGate-7060E chassis schematic

register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased.

FortiGate-7060E chassis schematic

The FortiGate-7060E chassis schematic below shows the communication channels between chassis components including the management modules (MGMT), the FIM modules (called FIM1 and FIM2) and the FPM modules (FPM3, FPM4, FPM5, and FPM6).

By default MGMT2 is the active management module and MGMT1 is inactive. The active management module always has the IPMB address 0x20 and the inactive management module always has the IPMB address 0x22.

The active management module communicates with all modules in the chassis over the base backplane. Each module, including the management modules has a Shelf Management Controller (SMC). These SMCs support Intelligent Platform Management Bus (IPMB) communication between the active management module and the FIM and FPM modules for storing and sharing sensor data that the management module uses to control chassis cooling and power distribution. The base backplane also supports serial communications to allow console access from the management module to all modules, and 1Gbps Ethernet communication for management and heartbeat communication between modules.

FIM1 and FIM2 (IPMB addresses 0x82 and 0x84) are the FIM modules in slots 1 and 2. The interfaces of these modules connect the chassis to data networks and can be used for Ethernet management access to chassis components. The FIM modules include DP2 processors that distribute sessions over the Integrated Switch Fabric (ISF) to the NP6 processors in the FPM modules. Data sessions are communicated to the FPM modules over the 80Gbps chassis fabric backplane.

 

Chassis hardware information

FPM03, FPM04, FPM05, and FPM06 (IPMB addresses 0x86, 0x88, 0x8A, and 0x8C) are the FPM processor modules in slots 3 to 6. These worker modules process sessions distributed to them by the FIM modules. FPM modules include NP6 processors to offload sessions from the FPM CPU and CP9 processors that accelerate content processing.

Chassis hardware information

This section introduces FortiGate-7060E hardware components and accessories including power requirements and FIM and FPM modules that can be installed in the chassis.

Shipping components

The FortiGate-7060E chassis ships pre-assembled with the following components:

l The 8U FortiGate-7060E chassis l Two FIM modules l Up to four FPM modules l Two management modules installed in the front of the chassis l Four Power Supply Units (PSUs) installed in the front of the chassis l Three cooling fan trays installed in the back of the chassis l One protective front panel installed in the chassis to protect internal chassis components. This panel must be removed before installing FIM and FPM modules. l Four power cords with C15 power connectors l Four power cord management clamps l One set of 4-post rack mounting components l One set of 2-post rack mounting components l One pair of cable management side brackets l Two front mounting brackets l Twenty M4x6 flat-head screws l Six M4x8 large head pan-head screws l Six rubber feet l Two console cables l One RJ-45 Ethernet cable

Optional accessories and replacement parts

The following optional accessories can be ordered separately:

SKU Description
FG-7060E-FAN FortiGate-7060E fan tray.
FG-7060E-PS-AC 1500W AC power supply units (PSUs) for the FortiGate-7060E.

9

Chassis hardware information

SKU Description
FG-7060E-SMM FortiGate-7060E management module.
FG-7060E-CHASSIS FortiGate-7060E chassis including 2x management module, 3x fan trays, and 4x AC PSUs.

You can also order the following:

  • Additional FIM and FPM modules l Transceivers
  • DC PSUs
  • Air Filter kit
  • FPM and FIM single slot cover trays to be installed in empty chassis slots The following optional accessories can be ordered separately:
  • Additional FIM and FPM modules l Transceivers
  • DC PSUs
  • Additional AC PSUs l Additional FAN trays l Air Filter kit
  • FPM and FIM blank panels to be installed in empty chassis slots

Physical description of the FortiGate-7060E chassis

The FortiGate-7060E chassis is a 8U chassis that can be installed in a standard 19-inch rack. The following table describes the physical characteristics of the FortiGate-7060E chassis.

Dimensions (H x W x D) 352.7 x 440 x 650 mm (13.4 x 17.3 x 25.6 in)
Chassis weight completely assembled with FIM and FPM modules installed 205 lbs (93 kg)
Operating Temperature 32 to 104°F (0 to 40°C)
Storage Temperature -31 to 158°F (-35 to 70°C)
Relative Humidity 10% to 90% non-condensing
Noise Level 63db
Input Current and Voltage Range 10-12 A, 100 to 240 VAC (50 to 60 Hz)
Power Support Rating max. 3277W
Supplied Power Supply Units (PSUs) 4 (for 3+1 redundancy)

Cooling fans, cooling air flow, and minimum clearance

Max Power Supply Units (PSUs) 6 (for 3+3 redundancy)
Max Power Consumption 3277W
Average Power Consumption 2330W
Heat Dissipation 11799KJ/hr (11184BTU/hr)

Cooling fans, cooling air flow, and minimum clearance

The FortiGate-7060E chassis contains three hot swappable cooling fan trays installed in the back of the chassis. Each fan tray includes two fans that operate together. When the fan tray LED is green both fans are operating normally. If the LED turns red or goes off, one or both of the fans is not working and the fan tray should be replaced.

Cooling fans, cooling air flow, and minimum clearance

Cooling Fan Tray

Fan

LED

During normal chassis operation, all three fan trays are active and the fan speed is controlled by the active shelf manager. Fan trays are hot swappable. You can replace a failed fan tray while the chassis is operating. To replace a fan tray, unscrew the four retention screws and use the handles to pull the fan tray out of the chassis.

Install a replacement fan tray by sliding it into place in the empty slot and tightening the retention screws. As you slide the new fan into place it will power up and the fan tray LED will light.

The other fan trays will continue to operate and cool the chassis as a fan tray is being removed and replaced. However an open fan tray slot will result in less air flow through the chassis so do not delay installing the replacement fan tray.

Optional Air Filters

Cooling air flow and required minimum air flow clearance

When installing the chassis, make sure there is enough clearance for effective cooling air flow. The following diagram shows the cooling air flow through the chassis and the locations of fan trays. Make sure the cooling air intake and warm air exhaust openings are not blocked by cables or rack construction because this could result in cooling performance reduction and possible overheating and component damage.

FortiGate-7060E cooling air flow and minimum air flow clearance

Most cool air enters the chassis through the chassis front panel and all warm air exhausts out the back. For optimal cooling allow 100 mm of clearance at the front and back of the chassis and 50 mm of clearance at the sides. Under these conditions 80% of cooling air comes from the front panel air intake and 20% from the left and right side panels and 100% exits out the back. Side clearance is optional and chassis cooling will be sufficient if no side clearance is available.

Optional Air Filters

You can purchase an optional NEBS compliant air filter kit that includes a front filter that fits over the front of the chassis and two filters for the side cool air intakes. These filters are not required for normal operation but can be added if you require air filtration.

The air filters should be inspected regularly. If dirty or damaged, the filters should be disposed of and replaced.

The air filters can be fragile and should be handled carefully.

Power Supply Units (PSUs) and supplying power to the chassis

Power Supply Units (PSUs) and supplying power to the chassis

The FortiGate-7060E chassis front panel includes four hot swappable AC or DC PSUs. At least three PSUs (1, 2, and 3) must be connected to power. Power supplies 4 to 6 are backup power supplies that provide 3+1 , 3+2, and 3+3 redundancy. See FortiGate-7060E front panel on page 5 for locations of the PSUs.

All PSUs should be connected to AC power. To improve redundancy you can connect each power supply to a separate power source.

Use a C15 Power cable, supplied with the chassis, to connect power to each PSU C16 power connector. C15/C16 power connectors are used for high temperature environments and are rated up to 120°C.

To remove a PSU from the chassis, press the latch towards the handle until the PSU is detached then pull it out of the chassis. Insert a replacement PSU into the chassis and slide it in until the latch locks into place. Then connect the PSU to AC power. You can do this while the chassis is operating as long as at least three PSUs remain connected to power.

AC Power Supply Unit (PSU) showing C16 power connector

Connector

The PSU LED indicates whether the PSU is operating correctly and connected to power. If this LED is not lit check to make sure the PSU is connected to power. If the power connection is good then the PSU has failed and should be replaced.

Connecting the FortiGate-7060E chassis to ground

The FortiGate-7060E chassis includes a ground terminal on the rear the bottom of the FortiGate-7060E back panel. The ground terminal provides two connectors to be used with a double-holed lug such as Thomas & Betts PN 54850BE. This connector must be connected to a local ground connection. You need the following equipment to connect the FortiGate-7060E chassis to ground:

  • An electrostatic discharge (ESD) preventive wrist strap with connection cord.
  • One green 6 AWG stranded wire with listed closed loop double-hole lug suitable for minimum 6 AWG copper wire, such as Thomas & Betts PN 54850BE.

Power Supply Units (PSUs) and supplying power to the chassis

To connect the FortiGate-7060E chassis to ground

  1. Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal surface on the chassis or frame.
  2. Make sure that the chassis and ground wire are not energized.
  3. Connect the green ground wire from the local ground to the ground connector on the FortiGate-7060E chassis.
  4. Secure the ground wire to the chassis.
  5. Optionally label the wire GND.

Turning on FortiGate-7060E chassis power

Connect AC power to PSUs 1, 2, 3, and 4. Once the FortiGate-7060E chassis is connected to power the chassis powers up. If the chassis is operating correctly, the LEDs on the PSUs and fans should be lit. As well, the LEDs on the FortiGate-7060E management module should be lit.

When the chassis first starts up you should also hear the cooling fans operating.

In addition, if any modules have been installed in the chassis they should power on and their front panel LEDs should indicate that they are starting up and operating normally.

 

 

FortiGate-7060E hardware assembly and rack mounting

FortiGate-7060E hardware assembly and rack mounting

The FortiGate-7060E chassis must be mounted in a standard 19-inch rack and requires 8U of vertical space in the rack. This chapter describes how to attach accessories to the FortiGate-7060E chassis, how to install the chassis in a 4-post or 2-post rack, and how to install FIM and FPM modules in the chassis front panel slots.

If you install the FortiGate-7060E chassis in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature. Make sure the operating ambient temperature does not exceed the manufacturer’s maximum rated ambient temperature.

It is recommended that you mount the FortiGate-7060E chassis near the bottom of the rack to avoid making the rack top-heavy and potentially falling over. If you are going to mount the chassis higher make sure the rack is well anchored. Since the chassis is over 100 lbs use a lift to raise the chassis into position before mounting it.

Installing accessories

These accessories are optional and not required for all configurations. If you have them, before mounting the chassis in a rack you should install the left and right front mounting brackets and the cable management brackets as shown in the following illustration.

Installing FortiGate-7060E accessories

You can also install power cord clamps into the front of the chassis beside each PSU. Install the clamps by inserting them into the holes adjacent each supply at the back of the chassis. Use the clamps to secure the AC power cords so they are not accidentally disconnected.

Mounting the FortiGate-7060E chassis in a four-post rack

The FortiGate-7060E package includes a set of extendable brackets that you can use to mount the chassis in a 4post rack. Install the brackets to create a 4-post rack mount tray that the chassis will slide on to. Attach each side of the tray to the 4-post rack using the front and back brackets as shown below. Make sure you install the tray with enough space above it for the chassis. The length of the tray sides adjusts to match your rack.

Once the 4-post rack mount tray has been installed, slide the chassis onto the tray and secure it to the rack mount tray as shown in the diagram.

Mounting the chassis in a four-post Rack

Mounting the FortiGate-7060E chassis in a two-post rack

The FortiGate-7060E package includes two mid-mount trays and two mid-mount ears that you can use to mount the chassis in a 2-post rack. As shown in the diagram, first attach the mid-mount trays to the rack making sure to leave enough space above the trays for the chassis. Then attach the mid-mount ears to the chassis also as shown in the diagram. Finally line up the mid-mount trays with the mid-mount ears so that the chassis is supported in the rack. Then use screws to attach the mid-mount ears and the chassis to the rack.

Mounting the chassis in a 2-post rack

screws

Air flow

For rack installation, make sure that the amount of air flow required for safe operation of the FortiGate-7060E chassis is not compromised. Make sure that the chassis ventilation openings at the front and back are not blocked by cables or other components. The recommended minimum clearance at the front of the chassis is 100 mm and the recommended clearance from the rear of the chassis is 100 mm. This results in a total footprint of 850 mm from front to back. See Cooling air flow and required minimum air flow clearance on page 13 for more details. hardware assembly and rack mounting Inserting FIM and FPM-7000 series modules

Inserting FIM and FPM-7000 series modules

All FortiGate-7060E chassis are shipped with a protective front panel installed in the chassis to protect internal chassis components. This panel must be removed before you install FIM and FPM modules.

Insert FIM modules into chassis slots 1 and 2. Insert FPM modules into chassis slots 3, 4, 5, and 6.

Do not operate the FortiGate-7060E chassis with open slots on the front or back panel. For optimum cooling performance and safety, each chassis slot must contain an FIM or FPM module or an FIM or FPM blank panel (also called a dummy card). For the same reason, all cooling fan trays, power supplies or power supply slot covers must be installed while the chassis is operating.

To insert FIM and FPM modules, see the guide supplied with the module.

You must carefully slide the module all the way into the chassis slot, close the handles to seat the module into the slot, and tighten the retention screws to make sure the module is fully engaged with the backplane and secured. You must also make sure that the sliding latches are fully closed by gently pushing them down. The handles must be closed, the retention screws tightened and the latches fully closed for the module to get power and start up. If the module is not receiving power all LEDs remain off.

All FIM and FPM-7000 series modules must be protected from static discharge and physical shock. Only handle or work with these boards at a static-free workstation. Always wear a grounded electrostatic discharge (ESD) preventive wrist strap when handling these boards.

Recommended slot locations for interface modules

If you are installing different FIM modules in the FortiGate-7060E chassis, for optimal configuration you should install the module with the lower model number in slot 1 and the module with the higher number in slot 2.

For example:

  • if your chassis includes a FIM-7901E and a FIM-7904E, install the FIM-7901E in chassis slot 1 and the FIM-7904E in chassis slot 2.
  • If your chassis includes a FIM-7904E and a FIM-7920E, install the FIM-7904E in chassis slot 1 and the FIM-7920E in chassis slot 2.

This applies to any combination of two different interface modules.

 

Examples and Troubleshooting

Examples and Troubleshooting

This chapter provides an example of a FortiGate unit providing authenticated access to the Internet for both Windows network users and local users. The following topics are included in this section:

  • Firewall authentication example
  • LDAP Dial-in using member-attribute example
  • RADIUS SSO example
  • Troubleshooting

Firewall authentication example

Example configuration

Overview

In this example, there is a Windows network connected to Port 2 on the FortiGate unit and another LAN, Network_1, connected to Port 3.

All Windows network users authenticate when they logon to their network. Members of the Engineering and Sales groups can access the Internet without entering their authentication credentials again. The example assumes that the Fortinet Single Sign On (FSSO) has already been installed and configured on the domain controller.

LAN users who belong to the Internet_users group can access the Internet after entering their username and password to authenticate. This example shows only two users, User1 is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an external authentication server. Both of these users are referred to as local users because the user account is created on the FortiGate unit.

Creating a locally-authenticated user account

User1 is authenticated by a password stored on the FortiGate unit. It is very simple to create this type of account.

To create a local user – web-based manager:

  1. Go to User & Device > User Definition and select Create New.
  2. Follow the User Creation Wizard, entering the following information and then select Create:
User Type Local User
User Name User1
Password hardtoguess
Email Address

SMS

(optional)
Enable Select.

To create a local user – CLI:

config user local edit user1 set type password set passwd hardtoguess

end

Creating a RADIUS-authenticated user account

To authenticate users using an external authentication server, you must first configure the FortiGate unit to access the server.

To configure the remote authentication server – web-based manager:

  1. Go to User & Device > RADIUS Servers and select Create New.
  2. Enter the following information and select OK:
Name OurRADIUSsrv
Primary Server Name/IP 10.11.101.15
Primary Server Secret OurSecret
Authentication Scheme Select Use Default Authentication Scheme.

To configure the remote authentication server – CLI:

config user radius edit OurRADIUSsrv set server 10.11.102.15 set secret OurSecret set auth-type auto

Firewall authentication example

end

Creation of the user account is similar to the locally-authenticated account, except that you specify the RADIUS authentication server instead of the user’s password.

To configure a remote user – web-based manager:

  1. Go to User & Device > User Definition and select Create New.
  2. Follow the User Creation Wizard, entering the following information and then select Create:
User Type Remote RADIUS User
User Name User2
RADIUS server OurRADIUSsrv
Email Address

SMS

(optional)
Enable Select

To configure a remote user – CLI:

config user local edit User2 set name User2 set type radius

set radius-server OurRADIUSsrv

end

Creating user groups

There are two user groups: an FSSO user group for FSSO users and a firewall user group for other users. It is not possible to combine these two types of users in the same user group.

Creating the FSSO user group

For this example, assume that FSSO has already been set up on the Windows network and that it uses Advanced mode, meaning that it uses LDAP to access user group information. You need to

  • configure LDAP access to the Windows AD global catalog l specify the collector agent that sends user logon information to the FortiGate unit l select Windows user groups to monitor
  • select and add the Engineering and Sales groups to an FSSO user group

To configure LDAP for FSSO – web-based manager:

  1. Go to User & Device > LDAP Servers and select Create New.
  2. Enter the following information:
Name ADserver
Server Name / IP 10.11.101.160
Distinguished Name dc=office,dc=example,dc=com
Bind Type Regular
User DN cn=FSSO_Admin,cn=users,dc=office,dc=example,dc=com
Password set_a_secure_password
  1. Leave other fields at their default values.
  2. Select OK.

To configure LDAP for FSSO – CLI”

config user ldap edit “ADserver” set server “10.11.101.160”

set dn “cn=users,dc=office,dc=example,dc=com”

set type regular

set username “cn=administrator,cn=users,dc=office,dc=example,dc=com” set password set_a_secure_password

next

end

To specify the collector agent for FSSO – web-based manager

  1. Go to User & Device > Single Sign-On and select Create New.
  2. Enter the following information:
Type Fortinet Single Sign-On Agent
Name WinGroups
Primary Agent IP/Name 10.11.101.160
Password fortinet_canada
LDAP Server ADserver
  1. Select Apply & Refresh.

In a few minutes, the FortiGate unit downloads the list of user groups from the server.

To specify the collector agent for FSSO – CLI:

config user fsso edit “WinGroups” set ldap-server “ADserver” set password ENC

G7GQV7NEqilCM9jKmVmJJFVvhQ2+wtNEe9T0iYA5Sa+EqT2J8zhOrbkJFDr0RmY3c4LaoXdsoBczA

1dONmcGfthTxxwGsigzGpbJdC71spFlQYtj set server “10.11.101.160” end

Firewall authentication example

To create the FSSO_Internet-users user group – web-based manager:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name FSSO_Internet_users
Type Fortinet Single Sign-On (FSSO)
Members Engineering, Sales

To create the FSSO_Internet-users user group – CLI:

config user group edit FSSO_Internet_users set group-type fsso-service

set member CN=Engineering,cn=users,dc=office,dc=example,dc=com

CN=Sales,cn=users,dc=office,dc=example,dc=com end

Creating the Firewall user group

The non-FSSO users need a user group too. In this example, only two users are shown, but additional members can be added easily.

To create the firewall user group – web-based manager:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter the following information and then select OK:
Name Internet_users
Type Firewall
Members User1, User2

To create the firewall user group – CLI:

config user group edit Internet_users set group-type firewall set member User1 User2

end

Defining policy addresses

  1. Go to Policy & Objects > Addresses.
  2. Create the following addresses:
Address Name Internal_net
Type Subnet
Subnet / IP Range 10.11.102.0/24
Interface Port 3
Address Name Windows_net
Type Subnet
Subnet / IP Range 10.11.101.0/24
Interface Port 2

Creating security policies

Two security policies are needed: one for firewall group who connect through port3 and one for FSSO group who connect through port2.

To create a security policy for FSSO authentication – web-based manager:

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
Incoming Interface Port2
Source Address Windows_net
Source User(s) FSSO_Internet_users
Outgoing Interface Port1
Destination Address all
Schedule always
Service ALL
NAT ON
Security Profiles Optionally, enable security profiles.
  1. Select OK.

To create a security policy for FSSO authentication – CLI:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr Windows_net set dstaddr all

LDAP Dial-in using member-attribute example

set action accept set groups FSSO_Internet_users set schedule always set service ANY set nat enable

end

To create a security policy for local user authentication – web-based manager

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information:
Incoming Interface Port3
Source Address Internal_net
Source User(s) Internet_users
Outgoing Interface Port1
Destination Address all
Schedule always
Service ALL
NAT ON
Security Profiles Optionally, enable security profiles.
  1. Select OK.

To create a security policy for local user authentication – CLI

config firewall policy edit 0 set srcintf port3 set dstintf port1 set srcaddr internal_net set dstaddr all set action accept set schedule always set groups Internet_users set service ANY set nat enable

end

Monitoring authenticated users

Monitoring authenticated users

This section describes how to view lists of currently logged-in firewall and VPN users. It also describes how to disconnect users.

The following topics are included in this section:

  • Monitoring firewall users
  • Monitoring SSL VPN users
  • Monitoring IPsec VPN users
  • Monitoring users Quarantine

Monitoring firewall users

To monitor firewall users, go to Monitor > Firewall User Monitor.

You can de-authenticate a user by selecting the Delete icon for that entry.

You can filter the list of displayed users by selecting the funnel icon for one of the column titles or selecting Filter Settings.

Optionally, you can de-authenticate multiple users by selecting them and then selecting De-authenticate.

SSO using RADIUS accounting records

SSO using RADIUS accounting records

A FortiGate unit can authenticate users transparently who have already authenticated on an external RADIUS server. Based on the user group to which the user belongs, the security policy applies the appropriate UTM profiles. RADIUS SSO is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client). These records include the user’s IP address and user group.

After the initial set-up, changes to the user database, including changes to user group memberships, are made on the external RADIUS server, not on the FortiGate unit.

This section describes:

  • User’s view of RADIUS SSO authentication l Configuration Overview l Configuring the RADIUS server l Creating the FortiGate RADIUS SSO agent l Defining local user groups for RADIUS SSO l Creating security policies
  • Example: webfiltering for student and teacher accounts

User’s view of RADIUS SSO authentication

For the user, RADIUS SSO authentication is simple:

  • The user connects to the RADIUS server and authenticates.
  • The user attempts to connect to a network resource that is reached through a FortiGate unit. Authentication is required for access, but the user connects to the destination without being asked for logon credentials because the FortiGate unit knows that the user is already authenticated. FortiOS applies UTM features appropriate to the user groups that the user belongs to.

Configuration Overview

The general steps to implement RADIUS Single Sign-On are:

  1. If necessary, configure your RADIUS server. The user database needs to include user group information and the server needs to send accounting messages.
  2. Create the FortiGate RADIUS SSO agent.
  3. Define local user groups that map to RADIUS groups.
  4. Create a security policy which specifies the user groups that are permitted access.

 

Configuring the RADIUS server

You can configure FortiGate RSSO to work with most RADIUS-based accounting systems. In most cases, you only need to do the following to your RADIUS accounting system:

  • Add a user group name field to customer accounts on the RADIUS server so that the name is added to the RADIUS Start record sent by the accounting system to the FortiOS unit. User group names do not need to be added for all users, only to the accounts of users who will use RSSO feature on the FortiGate unit.
  • Configure your accounting system to send RADIUS Start records to the FortiOS unit. You can send the RADIUS Start records to any FortiGate network interface. If your FortiGate unit is operating with virtual domains (VDOMs) enabled, the RADIUS Start records must be sent to a network interface in the management VDOM.

IPv6 RADIUS Support

RADIUS authentication is supported with IPv6, allowing administrators to configure an IPv6 RADIUS server on the FortiGate for IPv6 RADIUS authentication traffic to pass between the server and FortiGate.

Syntax

Allow IPv6 access on an interface:

config system interface edit <name> config ipv6 set ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap} set ip6-address <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx>

next

next

end

Configure the IPv6 RADIUS server:

config user radius edit <name> set server <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> …

next

end

Agent-based FSSO

Agent-based FSSO

FortiOS can provide single sign-on capabilities to Windows AD, Citrix, Novell eDirectory, or, as of FortiOS 5.4, Microsoft Exchange users with the help of agent software installed on these networks. The agent software sends information about user logons to the FortiGate unit. With user information such as IP address and user group memberships from the network, FortiGate security policies can allow authenticated network access to users who belong to the appropriate user groups without requesting their credentials again.

For Windows AD networks, FortiGate units can provide SSO capability without agent software by directly polling the Windows AD domain controllers. For information about this type of SSO, seeSingle Sign-On to Windows AD on page 133.

The following topics are included:

  • Introduction to agent-based FSSO
  • FSSO NTLM authentication support
  • Agent installation
  • Configuring the FSSO Collector agent for Windows AD
  • Configuring the FSSO TS agent for Citrix
  • Configuring FSSO with Novell networks
  • Configuring FSSO Advanced Settings
  • Configuring FSSO on FortiGate units
  • FortiOS FSSO log messages
  • Testing FSSO
  • Troubleshooting FSSO

Introduction to agent-based FSSO

Fortinet Single Sign-On (FSSO), through agents installed on the network, monitors user logons and passes that information to the FortiGate unit. When a user logs on at a workstation in a monitored domain, FSSO

l detects the logon event and records the workstation name, domain, and user, l resolves the workstation name to an IP address, l determines which user groups the user belongs to, l sends the user logon information, including IP address and groups list, to the FortiGate unit l creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

FSSO can also provide NTLM authentication service for requests coming from FortiGate. SSO is very convenient for users, but may not be supported across all platforms. NTLM is not as convenient, but it enjoys wider support. See FSSO NTLM authentication support on page 148.

Introduction to FSSO agents

There are several different FSSO agents that can be used in an FSSO implementation:

  • Domain Controller (DC) agent
  • eDirectory agent
  • Citrix/Terminal Server (TS) agent
  • Collector (CA) agent

Consult the latest FortiOS and FSSO Release Notes for operating system compatibility information.

Domain Controller (DC) agent

The Domain Controller (DC) agent must be installed on every domain controller if you will use DC Agent mode, but is not required if you use Polling mode. See FSSO for Windows AD on page 144.

eDirectory agent

The eDirectory agent is installed on a Novell network to monitor user logons and send the required information to the FortiGate unit. It functions much like the Collector agent on a Windows AD domain controller.The agent can obtain information from the Novell eDirectory using either the Novell API or LDAP.

Citrix/Terminal Server (TS) agent

The Citrix/Terminal Server (TS) agent is installed on a Citrix terminal server to monitor user logons in real time. It functions much like the DC Agent on a Windows AD domain controller.

Collector (CA) agent

This agent is installed as a service on a server in the Windows AD network to monitor user logons and send the required information to the FortiGate unit. The Collector agent can collect information from

  • Domain Controller agent (Windows AD)
  • TS agent (Citrix Terminal Server)

In a Windows AD network, the Collector agent can optionally obtain logon information by polling the AD domain controllers. In this case, DC agents are not needed.

The Collector can obtain user group information from the DC agent or optionally, a FortiGate unit can obtain group information directly from AD using Lightweight Directory Access Protocol (LDAP).

On a Windows AD network, the FSSO software can also serve NT LAN Manager (NTLM) requests coming from client browsers (forwarded by the FortiGate unit) with only one or more Collector agents installed. See FSSO NTLM authentication support on page 148.

The CA is responsible for DNS lookups, group verification, workstation checks, and as mentioned FortiGate updates of logon records. The FSSO Collector Agent sends Domain Local Security Group and Global Security Group information to FortiGate units. The CA communicates with the FortiGate over TCP port 8000 and it listens on UDP port 8002 for updates from the DC agents.

The FortiGate unit can have up to five CAs configured for redundancy. If the first on the list is unreachable, the next is attempted, and so on down the list until one is contacted. See Configuring FSSO on FortiGate units on page 175.

All DC agents must point to the correct Collector agent port number and IP address on domains with multiple DCs.

A FortiAuthenticator unit can act much like a Collector agent, collecting Windows AD user logon information and sending it to the FortiGate unit. It is particularly useful in large installations with several FortiGate units. For more information, see the FortiAuthenticator Administration Guide.

FSSO for Microsoft Exchange Server

As of FortiOS 5.4, FSSO supports monitoring Microsoft Exchange Server. This is useful for situations when the user accesses the domain account to view their email, even when the client device might not be in the domain.

Support for the Exchange server is configured on the Back-end FSSO collector agent. For more information on the collector agent, see Collector agent installation:

  1. On the FSSO collector agent, go to Advanced Settings > Exchange Server.
  2. Select Add and enter the following information and select OK:
Domain Name Enter your domain name.
Server IP/Hostname Enter the IP address or the hostname of your exchange server.
Polling forwarded event log This option for scenarios when you do not want that CA polls the Exchange Server logs directly. In this case you need to configure event log forwarding on the Exchange server. Exchange event logs can be forwarded to any member server. If you enable this, instead of the IP of the Exchange server configured in the previous step, you must then configure the IP of this member server. CA will then contact the member server.
Ignore Name Because CA will also check Windows log files for logon events and when a user authenticates to Exchange Server there is also a logon event in Windows event log, which CA will read and this will overwrite the Exchange Server logon event (ESEventLog) on CA. So it is recommended to set the ignore list to the domain the user belongs to.

To do so, enter the domain name in the Ignore Name field and select Add.

FSSO for Windows AD

FSSO for Windows AD requires at least one Collector agent. Domain Controller agents may also be required depending on the Collector agent working mode. There are two working modes to monitor user logon activity: DC Agent mode or Polling mode.

Collector agent DC Agent mode versus Polling mode

DC Agent mode Polling Mode
Installation Complex — Multiple installations: one agent per DC plus Collector agent, requires a reboot Easy — Only Collector agent installation, no reboot required
Resources Shares resources with DC system Has own resources
Network load Each DC agent requires minimum 64kpbs bandwidth, adding to network load Increase polling period during busy period to reduce network load
Level of

Confidence

Captures all logons Potential to miss a login if polling period is too great
DC Agent mode

DC Agent mode is the standard mode for FSSO. In DC Agent mode, a Fortinet authentication agent is installed on each domain controller. These DC agents monitor user logon events and pass the information to the Collector agent, which stores the information and sends it to the FortiGate unit.

The DC agent installed on the domain controllers is not a service like the Collector agent — it is a DLL file called dcagent.dll and is installed in the Windows\system32 directory. It must be installed on all domain controllers of the domains that are being monitored.

FSSO in DC agent mode

DC Agent mode provides reliable user logon information, however you must install a DC agent on every domain controller. A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use the DC Agent mode.

Each domain controller connection needs a minimum guaranteed 64kpbs bandwidth to ensure proper FSSO functionality. You can optionally configure traffic shapers on the FortiGate unit to ensure this minimum bandwidth is guaranteed for the domain controller connections.

Introduction to agent-based

Polling mode

In Polling mode there are three options — NetAPI polling, Event log polling, and Event log using WMI. All share the advantages of being transparent and agentless.

NetAPI polling is used to retrieve server logon sessions. This includes the logon event information for the Controller agent. NetAPI runs faster than Event log polling but it may miss some user logon events under heavy system load. It requires a query round trip time of less than 10 seconds.

Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication. It does not have the 10 second limit on NetAPI polling. Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging into Windows AD.

Event log using WMI polling: WMI is a Windows API to get system information from a Windows server, CA is a WMI client and sends WMI queries for user logon events to DC, which in this case is a WMI server. Main advantage in this mode is that CA does not need to search security event logs on DC for user logon events, instead, DC returns all requested logon events via WMI. This also reduces network load between CA and DC.

In Polling mode, the Collector agent polls port 445 of each domain controller for user logon information every few seconds and forwards it to the FortiGate unit. There are no DC Agents installed, so the Collector agent polls the domain controllers directly.

FSSO in Polling mode

A major benefit of Polling mode is that no FSSO DC Agents are required. If it is not possible to install FSSO DC Agents on your domain controllers, this is the alternate configuration available to you. Polling mode results in a less complex install, and reduces ongoing maintenance. The minimum permissions required in Polling mode are to read the event log or call NetAPI.

Collector agent AD Access mode – Standard versus Advanced

The Collector agent has two ways to access Active Directory user information. The main difference between Standard and Advanced mode is the naming convention used when referring to username information.

Standard mode uses regular Windows convention: Domain\Username. Advanced mode uses LDAP convention: CN=User, OU=Name, DC=Domain.

If there is no special requirement to use LDAP— best practices suggest you set up FSSO in Standard mode. This mode is easier to set up, and is usually easier to maintain and troubleshoot.

Standard and advanced modes have the same level of functionality with the following exceptions:

  • Users have to create Group filters on the Collector agent. This differs from Advanced mode where Group filters are configured from the FortiGate unit. Fortinet strongly encourages users to create filters from CA.
  • Advanced mode supports nested or inherited groups. This means that users may be a member of multiple monitored groups. Standard mode does not support nested groups so a user must be a direct member of the group being monitored.

FSSO for Citrix

Citrix users can enjoy a similar Single Sign-On experience as Windows AD users. The FSSO TS agent installed on each Citrix server provides user logon information to the FSSO Collector agent on the network. The FortiGate unit uses this information to authenticate the user in security policies.

Citrix SSO topology

Citrix users do not have unique IP addresses. When a Citrix user logs on, the TS agent assigns that user a range of ports. By default each user has a range of 200 ports.

FSSO for Novell eDirectory

FSSO in a Novell eDirectory environment works similar to the FSSO Polling mode in the Windows AD environment. The eDirectory agent polls the eDirectory servers for user logon information and forwards the information to the FortiGate unit. There is no need for the Collector agent.

When a user logs on at a workstation, FSSO:

  • detects the logon event by polling the eDirectory server and records the IP address and user ID, l looks up in the eDirectory which groups this user belongs to,

 

FSSO NTLM authentication support

  • sends the IP address and user groups information to the FortiGate unit.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed.

FSSO is supported on the Novell E-Directory 8.8 operating system.

For a Novell network, there is only one FSSO component to install — the eDirectory agent. In some cases, you also need to install the Novell Client.

FSSO security issues

When the different components of FSSO are communicating there are some inherent security features.

FSSO installation requires an account with network admin privileges. The security inherent in these types of accounts helps ensure access to FSSO configurations is not tampered with.

User passwords are never sent between FSSO components. The information that is sent is information to identify a user including the username, group or groups, and IP address.

NTLM uses base-64 encoded packets, and uses a unique randomly generated challenge nonce to avoid sending user information and password between the client and the server.

Single Sign-On to Windows AD

Single Sign-On to Windows AD

The FortiGate unit can authenticate users transparently and allow them network access based on their privileges in Windows AD. This means that users who have logged on to the network are not asked again for their credentials to access network resources through the FortiGate unit, hence the term “Single Sign-On”.

The following topics are included:

  • Introduction to Single Sign-On with Windows AD
  • Configuring Single Sign On to Windows AD
  • FortiOS FSSO log messages
  • Testing FSSO
  • Troubleshooting FSSO

Introduction to Single Sign-On with Windows AD

Introduced in FortiOS 5.0, Single Sign-On (SSO) support provided by FortiGate polling of domain controllers is simpler than the earlier method that relies on agent software installed on Windows AD network servers. No Fortinet software needs to be installed on the Windows network. The FortiGate unit needs access only to the Windows AD global catalog and event log.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit l detects the logon event in the domain controller’s event log and records the workstation name, domain, and user, l resolves the workstation name to an IP address, l uses the domain controller’s LDAP server to determine which groups the user belongs to, l creates one or more log entries on the FortiGate unit for this logon event as appropriate.

When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consist of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

Single Sign-On using a FortiAuthenticator unit

Single Sign-On using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

  • Users can authenticate through a web portal on the FortiAuthenticator unit.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

User’s view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

Users without FortiClient Endpoint Security – SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

                                User not logged in. Click Login to go to the FortiAuthenticator login page.
                   User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

Users with FortiClient Endpoint Security – FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the

FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

Administrator’s view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

using a FortiAuthenticator unit

SSO widget

Configuring the FortiAuthenticator unit

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication.

On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit on page 131.