Blog

Sunday, July 21, 2013

Fortinet Fortigate 300C Active Directory Integration

We recently had to install a Fortinet Fortigate 300C cluster. You may wish to integrate your firewall cluster into Active Directory to facilitate AD based administrative and VPN logins. This guide is based on FortiOS v4.0 MR3 Patch 8 (v4.0,build0632,120705 (MR3 Patch 8)).

Configure DNS

First thing is to ensure your Fortigate's DNS is configured to point to your Active Directory servers. Go to Network -> DNS:

Configure LDAP

Then you need to configure LDAP. So go to User -> Remote -> LDAP and Create a new LDAP entry. You will need to create an LDAP entry for each domain controller:

 

Windows Server uses sAMAccountName and the Common Name (CN) Identifier. Your Distinguished Name is typically your top level AD DN. You need to do a Regular bind to AD and as a result you will need to specify the user that has access to AD to make queries. In this case the user LDAPBindFortinet was created explicitly with a non-expiring password. The User DN is CN=LDAPBindFortinet,OU=Services,OU=FireDaemon,DC=firedaemon,DC=int. Make sure you test connectivity and that you can successfully browser the directory. If you are having trouble divining CNs and DNs try browsing your directory with Softerra's LDAP Administrator.

Configure User Group

You will now need to create a remote authentication user group. So go to User -> User Group -> User Group.  Name it appropriately then add in your two Active Directory servers. Your users will ideally need to be in a group to permit firewall or VPN access. In this example, the group the users are in is:  CN=FortinetUsers,OU=Groups,OU=FireDaemon,DC=firedaemon,DC=int. You can obtain this DN by browsing the user and looking at their MemberOf attribute.

Add Remote Users

Lastly, you will need to add remote users (in this case for firewall configuration). So go to System -> Admin -> Administrators and add remote users.

 

You should now be able to login as a domain user to your Fortigate:

 

Comments
20-Jun-2014 03:20 AM - warfield
Awesome! nowhere in the documentation for the 300c could I find this information. Thanks!
20-Jun-2014 03:20 AM - Samuel Martínez
hey! good morning..! I have a 40C in my company, we are making some test... can u help to connect it to Active Directory? Also Im new using Active Directory, so there are terms that I dont know yet... I have read some websites but I still cant do it... if u can help I would appreciate it...
20-Jun-2014 03:20 AM - James Bourne
Perhaps better to get familiar with AD and then integrate your Fortigate.
20-Jun-2014 03:20 AM - bekos7
Thanks your tutorial really help me !
20-Jun-2014 03:20 AM - Gatta
would it be possible to allocate time slots connections to users in an active directory domain.
thank you
Regards
20-Jun-2014 03:20 AM - bekos7
Thanks a lot man, your tutorial have really helped me !
20-Jun-2014 03:20 AM - James Bourne
When you setup the VPN Policy - you can set a schedule as part of the policy definition. It's not something you set in AD from what I can see.
30-Jun-2016 03:13 PM - Anonymous
how do you do this in FortiOS v5.2? Thanks in advance.




Captcha Image

Recent Posts



Tags


Archive

    Sign up for Product Updates and Discounts
    Captcha Image
    ×