Category: Security

When trying to setup a FSSO fabric connector for Active Directory polling or when using LDAP for authentication with Forticlient or firewall administration, and when the AD controller is across a site to site VPN, the fabric connector and LDAP profile will attempt to use the public IP of the firewall for the source IP.

If you only need to send LDAP authentication requests across a VPN, you can simple set the source-IP option when configuring the LDAP profile in the CLI.

In this case, the source IP of 10.255.255.1 resides on the internal interface of the firewall itself and will source all requests to the DC at 10.10.10.100 using 10.255.255.1. You must ensure that 10.255.255.1 is allowed across the VPN and permitted by policy on the other side.

Here is the snippet of the config to use for the LDAP Profile:

config user ldap
    edit "AD Profile"
        set server "10.10.10.100"
        set source-ip 10.255.255.1
        set cnid "sAMAccountName"
        set dn "dc=test,dc=com"
        set type regular
        set username "cn=Administrator,cn=Users,dc=test,dc=com"
    next
end

If you are using FSSO across a VPN, there is an addition consideration that is explained well in the below document. Using the source-IP in the LDAP profile isn’t sufficient and isn’t taken into consideration.

Basically, when using a FSSO Fabric Connector, you must configure an IP address on the tunnel interfaces themselves which forces the Fabric Connector to use that IP address to source the Fabric Connector requests. There isn’t an option to source the Fabric Connector traffic from a specific IP address in the GUI or CLI like you can with the LDAP profile.

Link to Fortinet reference: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41468

The SIP Application Layer Gateway (ALG) is enabled by default on Fortigate firewalls. I have seen a number of phone systems have troubles with phones registering when this is enabled so the following steps can be used to disable the ALG. This is typically for hosted cloud-based phone systems where the phones have to register to a server hosted by a service provider and must traverse the firewall and NAT.

Backup the configuration before making these changes.

Run following commands from Fortigate firewall CLI:

config system settings 
set sip-helper disable 
set sip-nat-trace disable 
set default-voip-alg-mode kernel-helper-based 
end

Next, we need to locate SIP entry in session helper list and delete it

config system session-helper
show

Scroll down until you see an entry for SIP. In most cases I have seen this listed as 13.

delete 13 
end

Here is the original configuration for this block if you have to restore it:

edit 13 set name sip set protocol 17 set port 5060

Finally, we disable the RTP protocol processing on the firewall:

config voip profile 
edit default 
config sip 
set rtp disable 
end 
end

A reboot was required to make this all go into affect. Without the reboot, tests showed the ALG disabled, but calls were not working and phones did not register. This was a Fortigate running 6.0.4. Other times with 6.0.5 I have noticed that the rebooted was not required.