Enforcement using FortiGate Firewall

Overview

This chapter covers the FortiGate firewall integration with IPS using RADIUS accounting messages. FortiGate Firewall "SSO using RADIUS accounting records” feature allows FortiGate to receive user and group information details using RADIUS accounting messages.

FortiGate firewall can authenticate users transparently who have already authenticated on an external RADIUS server. The security policy applies the appropriate profiles based on the user group to which the user belongs. RADIUS SSO is relatively simple because the FortiGate unit does not interact with the RADIUS server, it only monitors RADIUS accounting records that the server forwards (originating from the RADIUS client, i.e Ivanti Policy Secure). These records include the user’s IP address, user group and user name.

FortiGate needs to know the user’s endpoint identifier (usually IP address) and RADIUS user group.