Skip to main content
PacketMentor logo
Open menu
Home
Training
Learn
CCNA Library (74)
Browse all CCNA topics →
Network (13)
Device Operations (5)
Network Access (12)
Wireless (6)
IP Connectivity (10)
IP Services (11)
Security (10)
Automation (7)
Network+ Library (77)
Browse all Network+ topics →
1.0Networking Concepts (22)
2.0Network Implementation (17)
3.0Network Operations (16)
4.0Network Security (15)
5.0Network Troubleshooting (7)
NSE 4 Library (45)
CCNP Library (33)
Practice
All practice →
Troubleshooting Labs
Packet Tracer Labs
Interactive Simulators
Mock ExamPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Fortinet NSE 4 Security Fundamentals Intermediate

FortiGate FSSO — Fortinet Single Sign-On

How FSSO gives FortiGate identity-aware policies without prompting users: collector agents on the AD DC, event-log monitoring, transparent login mapping, and RADIUS-SSO variants.

Quick summary
  • **FSSO** = FortiGate learns 'this IP is logged in as this AD user' without asking the user. Enables identity-based firewall policies without a login portal.
  • The classic architecture: **FSSO Collector Agent** on a Windows DC watches Kerberos event logs, resolves user→IP, pushes the mapping to FortiGate.
  • Newer options: **DC Agent + Collector**, **agentless polling**, **RADIUS-SSO** (learn logins from RADIUS accounting), **FortiAuthenticator** as central collector.

The one-sentence mental model

FSSO answers “who is this IP right now?” so the FortiGate can enforce firewall + web-filter policies by AD group instead of just by IP subnet. Without FSSO, the FortiGate sees 10.10.5.42. With FSSO, it sees 10.10.5.42 = jsmith@corp = Sales.

The four FSSO modes

1. Collector Agent + DC Agent (the classic setup)

  • DC Agent — DLL installed on each Domain Controller. Hooks into the DC’s authentication process directly.
  • Collector Agent — service (usually on the DC or a dedicated server). Receives login events from DC Agents, resolves usernames + IPs + AD groups, sends to FortiGate.

Pros: real-time. Every AD login gets picked up instantly. Cons: DLL install on every DC. Change management pushback.

2. Collector Agent only (no DC Agent — “polling mode”)

  • Just the Collector Agent, no DLLs.
  • Collector polls the DC event log (WinRM/WMI) at intervals for logon events.

Pros: no DLL on the DC. Simpler to deploy. Cons: slight lag (poll interval, typically 60 s). Under heavy login rates, can miss events.

3. Agentless (FortiGate polls directly)

  • No agent anywhere. FortiGate itself polls the DC event log via WMI/WinRM.

Pros: nothing to install. Cons: FortiGate must reach the DC directly, credentials for WMI, higher CPU on the FortiGate for large environments.

4. RADIUS-SSO

  • No AD-based collector at all.
  • Some upstream device (Cisco WLC, VPN concentrator, NAC) sends RADIUS accounting records to the FortiGate as users log in.
  • FortiGate parses the accounting, extracts username + IP, applies to policy.

Pros: works even in non-AD environments. Ideal for wireless / NAC-driven identity. Cons: only sees traffic from devices that send RADIUS accounting.

FortiAuthenticator as a bigger brain

For multi-site or when you want more control:

  • FortiAuthenticator (physical or VM appliance) becomes the central FSSO collector.
  • Receives login events from DCs, LDAP servers, RADIUS accounting, portal captive-portal logins.
  • Pushes consolidated user→IP→group mappings to every FortiGate in the estate.
  • Also does 2FA (FortiToken push, TOTP), guest self-registration, MAC bypass.

Standard architecture for MSPs and enterprises with >10 FortiGates.

Config sketch (Collector Agent mode)

On FortiGate:

config user fsso
  edit "hq-collector"
    set server 10.0.0.20
    set password AgentSecret
    set collector-agent-type default
  next
end

config user group
  edit "AD-Sales"
    set group-type fsso-service
    set member "hq-collector"
    config match
      edit 1
        set server-name "hq-collector"
        set group-name "CN=Sales,OU=Groups,DC=corp,DC=local"
      next
    end
  next
end

Then in firewall policy:

config firewall policy
  edit 40
    set srcintf "internal"
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set groups "AD-Sales"           # only Sales users match
    set action accept
    set service "HTTP" "HTTPS"
    set webfilter-profile "sales-webfilter"
  next
end

Verification

diagnose debug authd fsso list          # current mappings
diagnose debug authd fsso server-status # collector reachable?
diagnose debug authd fsso refresh-logons

Look for entries like 10.10.5.42 jsmith groups=Sales,Everyone. If empty → collector not reaching FortiGate. If stale → collector service died on DC.

Common exam / real-world mistakes

  1. Firewall between DCs and Collector. Collector receives DC agent events on TCP 8000 by default. Collector talks to FortiGate on TCP 8000 too. If a firewall blocks it, no mappings.
  2. Sharing user names across sessions. RDP / Citrix XenApp sessions look like one IP with many users. FSSO can only report one user per IP → wrong user for policy. Fix: XenApp connector / dedicated group of TS servers with “any user” policy.
  3. Group DN casing / typos. AD group DN in the FortiGate must match exactly. Copy-paste from Active Directory Users and Computers. Off-by-one and it silently doesn’t match.
  4. DHCP lease change while logged in. User gets new IP mid-session. FSSO mapping shows old IP. Cure: shorten DHCP leases OR use collector that watches for logoff events.
  5. Not pruning stale sessions. If a user powers off without logging out, mapping lingers. Configure “session lifetime” on the collector.

Cheat strip

Goal        map "IP → AD user + groups"  →  identity in firewall policy

Modes:
  Collector + DC Agent    real-time, DLL on every DC
  Collector-only polling  no DLL, minor lag
  Agentless               no agent, FortiGate polls DC directly
  RADIUS-SSO              consumes RADIUS accounting

Ports       DC-agent → Collector : TCP 8000 default
            Collector → FortiGate : TCP 8000 default

Verify      diagnose debug authd fsso list
            diagnose debug authd fsso server-status

FortiAuth   central collector + 2FA + guest portal at scale
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the NSE 4® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Get the free CCNA 12-week roadmap

You're already reading up on FortiGate FSSO — Fortinet Single Sign-On. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where FortiGate FSSO — Fortinet Single Sign-On fits. A written personal reply, not an autoresponder. Expect it within one business day.

Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.