Configuring FortiGate Firewall

The FortiGate firewall detects traffic from an endpoint that matches a configured security policy using Ivanti Policy Secure RSSO record. It determines the role(s) associated with that user, and allows or denies the traffic based on the actions configured in the security policy.

To configure FortiGate firewall:

Select System > Network > Interfaces[datainterface] and enable RADIUS Accounting to allow the interfaces to listen for RADIUS Accounting Messages.
Select Fabric Connector > Create New, under SSO/Identity select RADIUSSingle Sign-On Agent.
- Name: Enter a name for the entry
- Enter the RADIUS shared secret, which matches with Ivanti Policy Secure.
- Click OK.
Create matching User groups. Select User & Device > User Groups. Click create New and enter the following data:
- Name- Enter the name of the group. This name will appear in the firewall policy.
- Type- Select RADIUS Single Sign-On as type.
- RADIUS Attribute Value- Enter the User Role created on Ivanti Policy Secure to match the User Group in FotiGate.
- Click OK.
Create a firewall policy to use the Ivanti Policy Secure enforcement groups just created. Select Policy & Objects > IPv4 Policy. Click Create New and create the policy based on the resource access restrictions to be enforced.
Disable overriding of the roles on FortiGate firewall when the same user logs in with a different device. The default behavior is to override the role information with the latest role received from Ivanti Policy Secure.
For example, if a same user login’s to Ivanti Policy Secure from different devices (mobile/laptop) with different roles (Employee/Guest). Fortigate firewall overrides the role information with the latest role by default. To disable overriding with the latest roles “set sso-attribute-value-override disable”.
config user radius
edit <My_Rsso>
set rsso enable
set sso-attribute-value-override enable/disable // Enable/Disable override old attribute value with new value for the same endpoint.
end