FortiGate FSSO — Fortinet Single Sign-On
How FSSO gives FortiGate identity-aware policies without prompting users: collector agents on the AD DC, event-log monitoring, transparent login mapping, and RADIUS-SSO variants.
- **FSSO** = FortiGate learns 'this IP is logged in as this AD user' without asking the user. Enables identity-based firewall policies without a login portal.
- The classic architecture: **FSSO Collector Agent** on a Windows DC watches Kerberos event logs, resolves user→IP, pushes the mapping to FortiGate.
- Newer options: **DC Agent + Collector**, **agentless polling**, **RADIUS-SSO** (learn logins from RADIUS accounting), **FortiAuthenticator** as central collector.
The one-sentence mental model
FSSO answers “who is this IP right now?” so the FortiGate can enforce firewall + web-filter policies by AD group instead of just by IP subnet. Without FSSO, the FortiGate sees 10.10.5.42. With FSSO, it sees 10.10.5.42 = jsmith@corp = Sales.
The four FSSO modes
1. Collector Agent + DC Agent (the classic setup)
- DC Agent — DLL installed on each Domain Controller. Hooks into the DC’s authentication process directly.
- Collector Agent — service (usually on the DC or a dedicated server). Receives login events from DC Agents, resolves usernames + IPs + AD groups, sends to FortiGate.
Pros: real-time. Every AD login gets picked up instantly. Cons: DLL install on every DC. Change management pushback.
2. Collector Agent only (no DC Agent — “polling mode”)
- Just the Collector Agent, no DLLs.
- Collector polls the DC event log (WinRM/WMI) at intervals for logon events.
Pros: no DLL on the DC. Simpler to deploy. Cons: slight lag (poll interval, typically 60 s). Under heavy login rates, can miss events.
3. Agentless (FortiGate polls directly)
- No agent anywhere. FortiGate itself polls the DC event log via WMI/WinRM.
Pros: nothing to install. Cons: FortiGate must reach the DC directly, credentials for WMI, higher CPU on the FortiGate for large environments.
4. RADIUS-SSO
- No AD-based collector at all.
- Some upstream device (Cisco WLC, VPN concentrator, NAC) sends RADIUS accounting records to the FortiGate as users log in.
- FortiGate parses the accounting, extracts username + IP, applies to policy.
Pros: works even in non-AD environments. Ideal for wireless / NAC-driven identity. Cons: only sees traffic from devices that send RADIUS accounting.
FortiAuthenticator as a bigger brain
For multi-site or when you want more control:
- FortiAuthenticator (physical or VM appliance) becomes the central FSSO collector.
- Receives login events from DCs, LDAP servers, RADIUS accounting, portal captive-portal logins.
- Pushes consolidated user→IP→group mappings to every FortiGate in the estate.
- Also does 2FA (FortiToken push, TOTP), guest self-registration, MAC bypass.
Standard architecture for MSPs and enterprises with >10 FortiGates.
Config sketch (Collector Agent mode)
On FortiGate:
config user fsso
edit "hq-collector"
set server 10.0.0.20
set password AgentSecret
set collector-agent-type default
next
end
config user group
edit "AD-Sales"
set group-type fsso-service
set member "hq-collector"
config match
edit 1
set server-name "hq-collector"
set group-name "CN=Sales,OU=Groups,DC=corp,DC=local"
next
end
next
end
Then in firewall policy:
config firewall policy
edit 40
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set groups "AD-Sales" # only Sales users match
set action accept
set service "HTTP" "HTTPS"
set webfilter-profile "sales-webfilter"
next
end
Verification
diagnose debug authd fsso list # current mappings
diagnose debug authd fsso server-status # collector reachable?
diagnose debug authd fsso refresh-logons
Look for entries like 10.10.5.42 jsmith groups=Sales,Everyone. If empty → collector not reaching FortiGate. If stale → collector service died on DC.
Common exam / real-world mistakes
- Firewall between DCs and Collector. Collector receives DC agent events on TCP 8000 by default. Collector talks to FortiGate on TCP 8000 too. If a firewall blocks it, no mappings.
- Sharing user names across sessions. RDP / Citrix XenApp sessions look like one IP with many users. FSSO can only report one user per IP → wrong user for policy. Fix: XenApp connector / dedicated group of TS servers with “any user” policy.
- Group DN casing / typos. AD group DN in the FortiGate must match exactly. Copy-paste from Active Directory Users and Computers. Off-by-one and it silently doesn’t match.
- DHCP lease change while logged in. User gets new IP mid-session. FSSO mapping shows old IP. Cure: shorten DHCP leases OR use collector that watches for logoff events.
- Not pruning stale sessions. If a user powers off without logging out, mapping lingers. Configure “session lifetime” on the collector.
Cheat strip
Goal map "IP → AD user + groups" → identity in firewall policy
Modes:
Collector + DC Agent real-time, DLL on every DC
Collector-only polling no DLL, minor lag
Agentless no agent, FortiGate polls DC directly
RADIUS-SSO consumes RADIUS accounting
Ports DC-agent → Collector : TCP 8000 default
Collector → FortiGate : TCP 8000 default
Verify diagnose debug authd fsso list
diagnose debug authd fsso server-status
FortiAuth central collector + 2FA + guest portal at scale
FortiGate HA — FGCP Active-Passive and Active-Active
How FortiGate Clustering Protocol (FGCP) forms a redundant pair or cluster: heartbeat, session sync, election, active-passive vs active-active, override, split-brain avoidance.
VXLAN Basics — VNI, VTEP, and Why Modern DCs Use It
The Layer-2-over-Layer-3 overlay every modern data center runs. VXLAN encapsulation, VNI, VTEP roles, unicast vs multicast flood-and-learn vs BGP EVPN — the CCNP ENCOR essentials.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the NSE 4® exam blueprint. Free first session. No card on file until you decide.
Related topics
AAA · RADIUS & TACACS+
Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.
Security FundamentalsCisco ISE Basics
Cisco Identity Services Engine — the RADIUS/TACACS+ + posture + profiling brain behind enterprise wired/wireless network access. What ISE does, where it sits, and the deployment model behind 802.1X-everywhere.
Security Fundamentals802.1X — Port-Based Network Access Control
Lock every switch port until the connected device proves identity. Covers the supplicant / authenticator / auth server roles, EAPOL on the wire, and how 802.1X plugs into RADIUS for enterprise Wi-Fi and wired auth.
Get the free CCNA 12-week roadmap
You're already reading up on FortiGate FSSO — Fortinet Single Sign-On. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where FortiGate FSSO — Fortinet Single Sign-On fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.