Fortinet FortiGate Firewall LDAP

Configuring Fortinet FortiGate Firewall to work with Foxpass's LDAP server

Below are instructions on how to configure a Fortnet FortiGate to use Foxpass for LDAP authentication on the remote SSL VPN using the graphical user interface (GUI). Fortinet's general instructions can be found here.

📘

Note: Fortinet FortiGate Currently Requires a Configuration Change

Configuring your FortiGate to work with Foxpass currently requires a configuration change on our backend to enable a special setting for your company. This settings sends specific directory information to FortiGate that most LDAP clients don't require. To enable this setting, please reach out to us at [email protected] or in the Intercom chat in the bottom right.

Create an LDAP Binder

First, create an LDAP Binder account with the name 'fortigate' (or something else easily identifiable) on the LDAP binders page. Copy/paste the generated password! It is only displayed once.

Configure Fortinet

First, we'll enable FortiGate to use Foxpass as an authentication source for all users into the firewall.

In the FortiGate interface, go to User & Device > Authentication > LDAP Servers and select Create New.

Enter the following values, inserting your own information where marked by the double arrows:

Name: ≪Foxpass-LDAP≫
Server Name/IP: ldap.foxpass.com
Server Port: 636
Common Name Identifier: uid
Distinguished Name: dc=≪example≫,dc=≪com≫
Bind Type: Regular
User DN: cn=≪binder name≫,dc=≪example≫,dc=≪com≫
Password: ≪binder password≫
Secure Connection: checked
Protocol: LDAPS

Next, we'll configure a specific Foxpass group to give users of that group admin permissions in FortiGate.

Add a user group in FortiGate and associate a Foxpass LDAP group with it. Go to User & Device > User > User Groups, and create an LDAP user group. This group will allow you to designate a specific Foxpass group as Firewall admins. Name the group something easy to remember like "FirewallAdmin." Enter the following values, inserting your own information where marked by the double arrows:

Member: ≪Foxpass-LDAP≫
Configuration: match
Server Name: ≪Foxpass-LDAP≫
Group Name: cn=≪Foxpass LDAP group≫,ou=groups,dc=≪example≫,dc=≪com≫

You may need to right click the group to select it when saving the configuration.

After that, give this group firewall admin access. Go to the Admin section of the System configuration and enter the values below:

Remote-Auth: Enable
trusthost1: x.y.x.x/255.255.255.255
trusthost2: x.x.y.x/255.255.255.255
trusthost3: x.x.x.y/255.255.255.255
accprofile: prof_admin
vdom: root
wildcard: enable
remote-group: ≪FirewallAdmin≫

As a final, we recommend setting the timeout for remote authentication to 60 seconds to account for any network delays. Change this setting in the Global section of the System configuration.

remoteauthtimeout: 60