Login to the Fortigate firewall with Active Directory accounts

Logging into the firewall with Active directory accounts can be a great thing. You can base login privileges on A.D. security groups, and track what the users do. For example if you had help desk users and only wanted them to only have read access, no problem. Also, what if you wanted to audit what a user does on the firewall, no problem. You can do this through a mix of Logins and admin profiles.

There are a few things we need to do, create the LDAP connection, create our security groups in A.D. to match in the firewall, create the user group in the FW and assign it the correct admin profiles.

1. Create the LDAP connection

Image

You do not have to be a super user to query the LDAP account, I would just create a Fortinet service account, and use that to query with.

2. Create AD security groups. If you want domain admins to log in, great just match it in the firewall. If you have help desk users that you want to have restricted privilege than you would have to create that in A.D. and add the needed members.

3. Create local firewall groups that match the LDAP groups.

Image

Here we create a “Firewall” Group, and add our remote server to the list. If you notice you can query LDAP from here, and select the group you want by clicking on the folder to the left side of the group name.

4. Add the group as a admin that can login

Under system – admin – administrators add a new admin.

Image

Create the name you want, and select the group we just created. Then select the admin profile we want. This is for admins, so they will be super admins when they log in. If you wanted a custom profile, lets say restart the device, but that’s it then we can create that, then add it. There are more options here such as using Forti-token, and email.

Notice that the wildcard option is checked – A wildcard admin account is an administrator account with the wildcard option enabled. This option allows multiple different remote administration accounts to match one local administration account, avoiding the need to set up individual admin accounts on the FortiGate unit. Instead multiple LDAP admin accounts will all be able to use one FortiGate admin account.

5. Create a different admin profile for privileges.

In this example I will create a help desk account, that can only configure system settings (IP address, etc). Otherwise everything is read only.

Image

After saving this, you can go back and add it to the admin group.

Advertisements

5 responses to “Login to the Fortigate firewall with Active Directory accounts

  1. ANUP THAKUR May 19, 2016 at 10:00 am

    sir my college have fortinet firewall and every person have a same user id and password and accessing internet.. now i want that at run-time every student can create his profile and than can access internet… is it possible

    • cjcott01 May 20, 2016 at 3:47 pm

      Hi Anup, There are many ways to accomplish that. Do you use Active Directory? If so, use the Fortinet Single sign on agent and use their Domain Credentials (All transparent to the user). You could also use the captive portal feature and have them log in with their account before accessing the internet.

  2. anton February 22, 2017 at 9:35 am

    Im having trouble connecting remote LDAP servers. If i have LDAP server on internal network – then it works. If i have it over IPSEC VPN tunnel, then it doesnt ( for some reason fortigate is unable to ping the domain server from within itself. SO im wondering which interface is the “from” in the case where im trying to connect to remote LDAP server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: