Thursday, February 28, 2013

Enhanced Single Sign-On to Windows AD in FortiOS 5.0

FortiOS 5.0 brings with it an enhancement to how single sign-on can be performed in a Microsoft Active Directory environment.

In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.

When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:
  • detects the logon event in the domain controller’s event log and records the workstation name, domain, and user
  • resolves the workstation name to an IP address
  • uses the domain controller’s LDAP server to determine which groups the user belongs to
  • creates one or more log entries on the FortiGate unit for this logon event as appropriate
When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. The selection consists of matching the FSSO group or groups the user belongs to with the security policy or policies that match that group. If the user belongs to one of the permitted user groups associated with that policy, the connection is allowed. Otherwise the connection is denied.

(From the FortiOS 5.0 Authentication Guide)

Wednesday, February 13, 2013

Software Updates

Here's the latest and greatest.

 FortiOS: 4.0 MR3 Patch 12, Build 656 (Just released)
(stable, recommended for production)

FortiOS: 5.0.1, Build 147
(recommended for limited deployment in production if you need cutting edge features)