# Fortigate # IPsec VPN to Azure with virtual network gateway [https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway) ## Prerequisites - A FortiGate with an Internet-facing IP address - A valid Microsoft Azure account ## Sample topology ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/3f59425e5a3d2d480af56f8f3ffd0ed8_Topology.png) ## Sample configuration This sample configuration shows how to: 1. [Configure an Azure virtual network](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To). 2. [Specify the Azure DNS server](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To2). 3. [Configure the Azure virtual network gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To3). 4. [Configure the Azure local network gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To4). 5. [Configure the FortiGate tunnel](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To5). 6. [Create the Azure firewall object](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To6). 7. [Create the FortiGate firewall policies](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To7). 8. [Create the FortiGate static route](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To8). 9. [Create the Azure site-to-site VPN connection](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To9). 10. [Check the results](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To10). ###### To configure an Azure virtual network: 1. Log in to Azure and click *New*. 2. In *Search the Marketplace*, type *Virtual network*. 3. Click *Virtual network* to open the *Virtual network* pane. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/ab2c12e085d4d6464b1a2e245982e836_1a.Vnet.png) 4. At the bottom of the *Virtual network* pane, click the *Select a deployment model* dropdown list and select *Resource Manager*. 5. Click *Create*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/f642bf6f0d6b572a788a4f329a26e5fe_1b.Create%20Resource%20Manager.png) 6. On the *Create virtual network* pane, enter you virtual network settings, and click *Create*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/98261ee1b16b89602aeb79cd358f93d6_1c.Create%20Vnet.png) ###### To specify the Azure DNS server: 1. Open the virtual network you just created. 2. Click *DNS servers* to open the *DNS servers* pane. 3. Enter the IP address of the DNS server and click *Save*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/bbb8093059d3451bc6d85b6bee644699_2.DNS%20server.png) ###### To configure the Azure virtual network gateway: 1. In the portal dashboard, go to *New*. 2. Search for *Virtual Network Gateway* and click it to open the *Virtual network gateway* pane. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/45f72e6157e537f41c3f73ccc0f2fd21_3a.Vnet%20gateway%20list.png) 3. Click *Create Virtual network gateways* and enter the settings for your virtual network gateway. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/60ddbebf4cd9f08af602b4302fcd6ef9_3b.Create%20vnet%20gateway.png) 4. If needed, create a Public IP address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/12a535332245dfbb6acd664506bc99f5_3c.Public%20IP.png) 5. Click *Create*. Creating the virtual network gateway might take some time. When the provisioning is done, you'll receive a notification. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/7e14ed64ba01251e2568255a23c971ab_3d.Notification.png) ###### To configure the Azure local network gateway: 1. In the portal dashboard, click *All resources*. 2. Click *Add* and then click *See all*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/418c03ef25c9d9f317305c3550634d12_4a.Add.png) 3. In the *Everything* pane, search for *Local network gateway* and then click *Create local network gateway*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/5bc5f1095e7810b596123ea22d6ccf02_4b.Create%20local%20gateway.png) 4. For the *IP address*, enter the local network gateway IP address, that is, the FortiGate's external IP address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/3486b6776dd2c6390b019dc31a5b0abf_4c.IP%20address.png) 5. Set the remaining values for your local network gateway and click *Create*. ###### To configure the FortiGate tunnel: 1. In the FortiGate, go to *VPN > IP Wizard*. 2. Enter a *Name* for the tunnel, click *Custom*, and then click *Next*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/99992c6281260a48ba05829c5a8efa4b_5a.IPsec%20Wizard-1.png) 3. Configure the *Network* settings. - For *Remote Gateway*, select *Static IP Address* and enter the IP address provided by Azure. - For *Interface*, select *wan1*. - For *NAT Traversal*, select *Disable*, - For *Dead Peer Detection*, select *On Idle*. - In the Authentication section, select 4. Configure the *Authentication* settings. - For *Method*, select *Pre-shared Key* and enter the *Pre-shared Key*. - For *IKE*, select *2*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/6d6ac0180a21ac235324fd5ba7c4e7a7_5b.Network%20settings.png) 5. Configure the *Phase 1 Proposal* settings. - Set the Encryption and Authentication combination to the three supported encryption algorithm combinations accepted by Azure. - AES256 and SHA1 - 3DES and SHA1 - AES256 and SHA256 - For *Diffie-Hellman Groups*, select *2*. - Set *Key Lifetime (seconds)* to *28800*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/695e47f565d92c8195cefe6af5a2c5aa_5c.Phase1%20settings.png) 6. In *Phase 2 Selectors*, expand the *Advanced* section to configure the *Phase 2 Proposal* settings. - Set the Encryption and Authentication combinations. - AES256 and SHA1 - 3DES and SHA1 - AES256 and SHA256 - Uncheck *Enable Perfect Forward Secrecy (PFS)*. - Set *Key Lifetime (seconds)* to *27000*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/bd6aea44fcd49638975c3bb08b0e65b0_5d.Phase2%20settings.png) 7. Click *OK*. ###### To create the Azure firewall object: 1. In the FortiGate, go to *Policy & Objects > Addresses*. 2. Create a firewall object for the Azure VPN tunnel. ###### To create the FortiGate firewall policies: 1. In the FortiGate, go to *Policy & Objects > IPv4 Policy*. 2. Create a policy for the site-to-site connection that allows outgoing traffic. - Set the *Source* address and *Destination* address using the firewall objects you just created. - Disable *NAT*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/d1b858401fdf8d32c33bc21dfc2cf43f_7a.IPv4%20policy-1.png) 3. Create another policy that allows incoming traffic. - For this policy, reverse the *Source* address and *Destination* address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/d876f1aa7d99222fbabc59a147835cce_7b.IPv4%20policy-2.png) 4. We recommend limiting the TCP maximum segment size (MSS) being sent and received so as to avoid packet drops and fragmentation. To do this, use the following CLI commands on both policies. ``` config firewall policy edit set tcp-mss-sender 1350 set tcp-mss-receiver 1350 next end ``` ###### To create the FortiGate static route: 1. In the FortiGate, go to *Network > Static Routes*. 2. Create an IPv4 Static Route that forces outgoing traffic going to Azure to go through the route-based tunnel. 3. Set the *Administrative Distance* to a value lower than the existing default route value. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/afa5990708dda19653d22cbdbcfc104c_8.Static%20route.png) ###### To create the Azure site-to-site VPN connection: 1. In the Azure portal, locate and select your virtual network gateway. 2. In the *Settings* pane, click *Connections* and then click *Add*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/1c708f5242d7c2f2a3ba253ef7a05446_9.Settings.png) 3. Enter the settings for your connection. Ensure the *Shared Key (PSK)* matches the *Pre-shared Key* for the FortiGate tunnel. ###### To check the results: 1. In the FortiGate, go to *Monitor > IPsec Monitor*. - Check that the tunnel is up. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/6278467ff1642e45ce8ab18cb4879f5b_10.Result1.png) - If the tunnel is down, right-click the tunnel and select *Bring Up*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/737bdad38477f87657ef984fce4e6b64_10.Result2.png) 2. In the FortiGate, go to *Log & Report > Events*. - Select an event to view more information and verify the connection. 3. In the Azure portal dashboard, click *All resources* and locate your virtual network gateway. 1. In your virtual network gateway pane, click *Connections* to see the status of each connection. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/1c708f5242d7c2f2a3ba253ef7a05446_9.Settings.png) 2. Click a connection to open the *Essentials* pane to view more information about that connection. - If the connection is successful, the *Status* shows *Connected*. - See the *ingress* and *egress* bytes to confirm traffic flowing through the tunnel. # Change log level This will allow you to change the filter for which logs are recorded in the Fortigate firewall. 1. Open the cli 2. type the command `config log syslogd | syslogd1 | syslogd4 setting` 3. use command `set severity ` 4. finally follow with `end` to set the config 5. next use `show log syslogd filter` to confirm the log level [![image.png](https://docs.coltscomputer.services/uploads/images/gallery/2024-10/scaled-1680-/m4wBulPjA5FND0gu-image.png)](https://docs.coltscomputer.services/uploads/images/gallery/2024-10/m4wBulPjA5FND0gu-image.png) # Troubleshooting FSSO Agent Install
DescriptionThis article describes why Fortinet Single Sign-On (FSSO) stops working after upgrading to FSSO Collector Agent 5.0.0290.
ScopeFortiGate, FSSO, Collector Agent
SolutionIt has been noticed Fortinet Single Sign-On Agent service appears to be stopped, however, when trying to restart the service, it stops again shortly after. If it is verified the FSSO CA debug logs, an error 'cannot bind to UDP socket' can be found. ![pkavin_0-1648224302059.png](https://community.fortinet.com/t5/image/serverpage/image-id/5477i0C99275E5C572DF6/image-size/medium/is-moderation-mode/true?v=v2&px=400 "pkavin_0-1648224302059.png")Starting FSSO Collector Agent build 5.0.0290, the FSSO Collector Agent includes a Syslog service that runs on UDP port 514. If UDP port 514 is already in use by another application/service/server on the Windows machine running the FSSO Collector Agent, this error while running FSSO - 'cannot bind to UDP socket' can be seen. To verify the same, open command prompt, run as administrator. Enter command *‘netstat –abo*’, this will show Active Connections along with the listening port number. On FSSO Agent build 5.0.0290 and later, under **Advanced Settings -> Syslog source list -> Uncheck *'*Enable this feature*****'**,* since it is also using port 514. After disabling the FSSO Collector Agent’s Syslog functionality, the FSSO Collector Agent should start successfully. ![pkavin_1-1648224448922.png](https://community.fortinet.com/t5/image/serverpage/image-id/5478i554A546075DFA1FE/image-size/medium/is-moderation-mode/true?v=v2&px=400 "pkavin_1-1648224448922.png")
**Description** This article describes why FortiGate cannot connect to FSSO Agent on Windows server 2019 and how to resolve the issue. **Scope** FortiGate v7.2.1, FSSO Collector Agent. **Solution** As an example in this article, an External Connector on FortiGate 7.2.1 has been configured using an FSSO Agent on a Windows AD connector. ![matanaskovic_0-1660919587463.png](https://community.fortinet.com/t5/image/serverpage/image-id/10639i98C528D537EA3B68/image-dimensions/625x290/is-moderation-mode/true?v=v2 "matanaskovic_0-1660919587463.png") The configuration was working, but suddenly FSSO communication between FortiGate and FSSO Collector Agent 5.0.0306 has stopped. FortiGate connects to the Collector Agent by default via port TCP/8000. Verify the Collector Agent is listening on port TCP/8000 in the Windows Firewall. ![matanaskovic_1-1660919620231.png](https://community.fortinet.com/t5/image/serverpage/image-id/10640i5178C9DC8B9745EB/image-dimensions/617x100/is-moderation-mode/true?v=v2 "matanaskovic_1-1660919620231.png") ![matanaskovic_2-1660919636954.png](https://community.fortinet.com/t5/image/serverpage/image-id/10641iEEAC8004FF6C4776/image-dimensions/608x82/is-moderation-mode/true?v=v2 "matanaskovic_2-1660919636954.png") From FortiGate, double-check to see if the FSSO CA is listening and to additionally verify that it is connected using telnet connection: ![matanaskovic_3-1660919668489.png](https://community.fortinet.com/t5/image/serverpage/image-id/10642i554BD245DB9ADCE7/image-dimensions/605x164/is-moderation-mode/true?v=v2 "matanaskovic_3-1660919668489.png") Using debug command for verifying FSSO server status, 'waiting for retry' can still be seen as the Connection Status. ![matanaskovic_4-1660919694805.png](https://community.fortinet.com/t5/image/serverpage/image-id/10643i94F0199583F8E012/image-dimensions/602x158/is-moderation-mode/true?v=v2 "matanaskovic_4-1660919694805.png") - commands in picture - diagnose debug enable - diagnose debug authd fsso server-status For further troubleshooting FSSO CA on Windows server, run the following debug application authd command. **diagnose debug application authd -1** Debug messages will be on for 30 minutes. photon-kvm12 (root) # **diagnose debug enable** photon-kvm12 (root) # authd\_timer\_run: 2 expired authd\_epoll\_work: timeout 5000 authd\_timer\_run: 1 expired authd\_epoll\_work: timeout 990 authd\_timer\_run: 1 expired authd\_epoll\_work: timeout 10000 authd\_epoll\_work: timeout 10000 Server challenge: f9 57 20 05 7a 00 6d 50 42 7b a5 48 02 5d cf 37 MD5 response: d5 08 03 a2 66 f1 ad 2b 0c 9a 6f 9b a5 d1 e9 1c authd\_epoll\_work: timeout 9990 **\_process\_auth\[FSSO-Collector Agent\]: server authentication failed, aborting** **disconnect\_server\_only\[FSSO-Collector Agent\]: disconnecting** authd\_epoll\_work: timeout 9990 diag deb disaauthd\_timer\_run: 1 expired authd\_epoll\_work: timeout 9980 authd\_epoll\_work: timeout 9980 Server challenge: 19 58 fc 28 4b 3a 66 7c 2c 0e 09 62 96 56 76 45 MD5 response: 73 b5 03 1b b8 64 21 c8 82 7e 8d 10 e6 2b c3 99 authd\_epoll\_work: timeout 9970 **\_process\_auth\[FSSO-Collector Agent\]: server authentication failed, aborting** **disconnect\_server\_only\[FSSO-Collector Agent\]: disconnecting** authd\_epoll\_work: timeout 9960 After trying to re-enter or change the FSSO Agent password that is in use for communication between FortiGate and FSSO Collector Agent, finally communication is established. Make sure the password is less than 15 characters. The FSSO collector agent can only accept passwords up to 15 characters in length. The status will then show as 'Connected' and will be possible to verify once again using a debug command. ![matanaskovic_0-1661436846730.png](https://community.fortinet.com/t5/image/serverpage/image-id/10936iF9EB1586C6B052E6/image-dimensions/629x333/is-moderation-mode/true?v=v2 "matanaskovic_0-1661436846730.png") ![matanaskovic_5-1660919765998.png](https://community.fortinet.com/t5/image/serverpage/image-id/10644i274C45C214CB14A9/image-dimensions/627x158/is-moderation-mode/true?v=v2 "matanaskovic_5-1660919765998.png") Identify the user account used to run the Fortinet Single Sign On process service and validate the permissions of the user account, it must belong to Administrators and/or Domain Admins groups: ![admin account credentials.png](https://community.fortinet.com/t5/image/serverpage/image-id/37993iA747173AFFD1C490/image-size/large/is-moderation-mode/true?v=v2&px=999 "admin account credentials.png") ![the account should be admin or in admin group.png](https://community.fortinet.com/t5/image/serverpage/image-id/37994i66BC0CEC1156AE78/image-size/large/is-moderation-mode/true?v=v2&px=999 "the account should be admin or in admin group.png") If it still does not work after confirming that the password is the same on both FortiGate and the Collector agent, try to uninstall and reinstall the Collector agent. To uninstall the collector agent in Windows, go to **Add or Remove programs** under **System Settings**. Find the FSSO Collector agent and uninstall it. To reinstall the collector agent, refer to [Technical Tip: How to install the FSSO Collector Agent](https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-install-the-FSSO-Collector-Agent/ta-p/252983). After it is installed again, configure the FSSO collector agent and try to connect it again to the FortiGate. The status should then show as 'Connected'. # Use Active Directory objects directly in policies # Use Active Directory objects directly in policies Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies. FortiGate administrators can define how often group information is updated from AD LDAP servers. ###### To retrieve and use AD user groups in policies:
1. [Set the FSSO Collector Agent AD access mode](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/795593#FSSO) 2. [Add an LDAP server](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/795593#Add) 3. [Create the FSSO collector that updates the AD user groups list](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/795593#Create) 4. [Use the AD user groups in a policy](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/795593#Use)
## Set the FSSO Collector Agent AD access mode To use this feature, you must set FSSO Collector Agent to *Advanced* AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/ba445c1c8b771c264f65b8ec32acd4fa_FSSO-collector-agent.jpg) ## Add an LDAP server
![Caution](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/9bc45bdabdd446778efe86914d38f173_Icon-Caution.png "Caution")When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. - To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See [Configuring an LDAP server](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/102264/configuring-an-ldap-server) and [Configuring client certificate authentication on the LDAP server](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/033548/configuring-client-certificate-authentication-on-the-ldap-server). - Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See [Configuring least privileges for LDAP admin account authentication in Active Directory](https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/631824/configuring-least-privileges-for-ldap-admin-account-authentication-in-active-directory).
###### To add an LDAP server in the GUI:
1. Go to *User & Authentication > LDAP Servers*. 2. Click *Create New*. 3. Configure the settings as needed. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/b044ef6adce0df1a1de4a899efbd4303_AD-groups-prerequisites%20.jpg) 4. If secure communication over TLS is supported by the remote AD LDAP server: 1. Enable *Secure Connection* . 2. Select the protocol. 3. Select the certificate from the CA that issued the AD LDAP server certificate. If the protocol is LDAPS, the port will automatically change to 636. 5. Click *OK*.
###### To add an LDAP server in the CLI: ``` config user ldap edit "AD-ldap" set server "10.1.100.131" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password XXXXXXXXXXXXXXXXXXXXXXXX next end ``` ## Create the FSSO collector that updates the AD user groups list ###### To create an FSSO agent connector in the GUI:
1. Go to *Security Fabric > External Connectors*. 2. Click *Create New*. 3. In the *Endpoint/Identity* section, click *FSSO Agent on Windows AD*. 4. Fill in the *Name* 5. Set the *Primary FSSO Agent* to the IP address of the FSSO Collector Agent, and enter its password. 6. Set the *User Group Source* to *Local*. 7. Set the *LDAP Server* to the just created *AD-ldap* server. 8. Enable *Proactively Retrieve from LDAP Server*. 9. Set the *Search Filter* to *(&(objectClass=group)(cn=group\*))*. The default search filter retrieves all groups, including Microsoft system groups. In this example, the filter is configured to retrieve *group1*, *group2*, etc, and not groups like *grp199*. The filter syntax is not automatically checked; if it is incorrect, the FortiGate might not retrieve any groups. 10. Set the *Interval (minutes)* to configure how often the FortiGate contacts the remote AD LDAP server to update the group information. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/6ac052622f7cb4ef2732bb7e37ebdddf_AD-groups-create-connector%20FSSO%20local-customized%20.jpg) 11. Click *OK*. 12. To view the AD user groups that are retrieved by the FSSO agent, hover the cursor over the group icon on the fabric connector listing. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/80a83151f7a694d0dc184febfd73550e_Retrieved%20groups.png)
###### To create an FSSO agent connector in the CLI: ``` config user fsso edit "ad-advanced" set server "10.1.100.131" set password XXXXXXXXXXXXXX set ldap-server "AD-ldap" set ldap-poll enable set ldap-poll-interval 2 set ldap-poll-filter "(&(objectClass=group)(cn=group*))" next end ``` You can view the retrieved AD user groups with the `show user adgrp` command. ## Use the AD user groups in a policy The AD user groups retrieved by the FortiGate can be used directly in firewall policies. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/065ab6b9-541d-11ef-bfe5-fa163e15d75b/images/fa76a12c58c63b393e23472c9f767d87_AD-groups-direct-in-firewall-policy%20.jpg)
# Clone Existing IPsec VPN # [Technical Tip: Cloning IPsec tunnel for other WAN interface](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Cloning-IPsec-tunnel-for-other-WAN-interface/ta-p/359480)
DescriptionThis article provides an example of how to clone a site to site IPsec tunnel when one tunnel is created for a wan interface and need clone same for other wan interface.
ScopeFortiGate.
SolutionThere may be a situation where an IPsec tunnel that has already been established with one WAN interface needs to be replicated for another WAN interface. In order to accomplish this, either use the wizard or recreate the tunnel by entering all the information anew or follow the below document where using cli recreate the tunnel by pasting information which would be a faster method to replicate the tunnel. Firstly, need to gather all the information about this IPsec tunnel from Cli and paste it on a notepad: Phase1 information: **config vpn ipsec phase1-interface** edit "IPsecTunnel" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set remote-gw x.x.x.x set psksecret ENC cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6 3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw== next end Phase2 information: **config vpn ipsec phase2-interface** edit "IPsecTunnel" set phase1name "IPsecTunnel" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "IPsecTunnel\_local" set dst-name "IPsecTunnel\_remote" next end Now, on a notepad make the following changes, Once this is done, paste the content on to cli: **config vpn ipsec phase1-interface** edit "IPsecTunnel2" <- Change the Tunnel name. set interface "port5" <- Change port to the desired WAN port. set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set remote-gw x.x.x.x set psksecret ENC " cKEiJTnk9PJH1fNS9j7BDqFqUmgiLT4EOqqzJKRlrhMIVnTdYvHmqZHRaRM3p1sz/BjYqCLv0YEZplWjECN6HvzOE2jwY1JU0IPRcFGRkmE2yvMrjltUQEThZNPq73Q9wMOT+vM/M0eW6 3wEQj/wqpgatsXrRnBxhniXcDp6LssBLsq9MlvwYb3rhAEl7puEOdwYzw== " next end For the PSK part, follow the instructions shown in the screenshot below to paste it: ![pskclon.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64264i30ED79791D902256/image-dimensions/649x363/is-moderation-mode/true?v=v2 "pskclon.PNG") **config vpn ipsec phase2-interface** edit "IPsecTunnel2" ->>>Change the Tunnel name set phase1name "IPsecTunnel2" ->>>Change the Tunnel name set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPsecTunnel (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "IPsecTunnel\_local" set dst-name "IPsecTunnel\_remote" next end After, verify that the tunnel has been created from the GUI: ![ipsectunnels.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64241iC2EBD0C936BB8C7E/image-dimensions/650x145/is-moderation-mode/true?v=v2 "ipsectunnels.PNG") Before cloning the tunnel ![IPsectunnels2.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64242i43015656C4320A40/image-dimensions/651x71/is-moderation-mode/true?v=v2 "IPsectunnels2.PNG") After cloning the tunnel: Get the information for static route and firewall policy: **config router static** edit 2 set device "IPsecTunnel" set comment "VPN: IPsecTunnel (Created by VPN wizard)" set dstaddr "IPsecTunnel\_remote" next end **config firewall policy** edit 2 set name "vpn\_IPsecTunnel\_remote\_0" set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb set srcintf "IPsecTunnel" set dstintf "port2" set action accept set srcaddr "IPsecTunnel\_remote" set dstaddr "IPsecTunnel\_local" set schedule "always" set service "ALL" set comments "VPN: IPsecTunnel (Created by VPN wizard)" next end **config firewall policy** edit 1 set name "vpn\_IPsecTunnel\_local\_0" set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567 set srcintf "port2" set dstintf "IPsecTunnel" set action accept set srcaddr "IPsecTunnel\_local" set dstaddr "IPsecTunnel\_remote" set schedule "always" set service "ALL" set comments "VPN: IPsecTunnel (Created by VPN wizard)" next end After, clone/copy the firewall policies for the tunnel and change the tunnel interface to a new tunnel. CLI: **config firewall policy** clone 1 to 3 clone 2 to 4 end After, change the IPsec tunnel interface from the GUI or just paste the copied firewall policy with a modified IPsec tunnel: **config firewall policy** edit 2 set name "vpn\_IPsecTunnel\_remote\_0" set uuid 7e44106e-a776-51ef-dedb-e06d8c3a0afb set srcintf "IPsecTunnel2" <- Change the Tunnel name. set dstintf "port2" set action accept set srcaddr "IPsecTunnel\_remote" set dstaddr "IPsecTunnel\_local" set schedule "always" set service "ALL" next end **config firewall policy** edit 1 set name "vpn\_IPsecTunnel\_local\_0" set uuid 7e35bbcc-a776-51ef-5990-8db56fd0e567 set srcintf "port2" set dstintf "IPsecTunnel2" <- Change the Tunnel name. set action accept set srcaddr "IPsecTunnel\_local" set dstaddr "IPsecTunnel\_remote" set schedule "always" set service "ALL" next end GUI: ![clone firewalll policy.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64243i22E8AB665FB5711A/image-dimensions/651x99/is-moderation-mode/true?v=v2 "clone firewalll policy.PNG") Clone method ![clonefirewallpolicy.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64244i6A52D9B687C2A3C4/image-dimensions/647x151/is-moderation-mode/true?v=v2 "clonefirewallpolicy.PNG") Similarly, clone or copy the static route and set the interface to the new Tunnel interface. CLI: **config router static** edit 3 set device "IPsecTunnel2" <- Change the Tunnel name. set dstaddr "IPsecTunnel\_remote" next end GUI: ![clone static route.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64245i4425F7EDA2DF4ABD/image-dimensions/651x86/is-moderation-mode/true?v=v2 "clone static route.PNG") ![clonedstaticroute2.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/64246iB051073114ECD7D3/image-dimensions/650x274/is-moderation-mode/true?v=v2 "clonedstaticroute2.PNG")
# Decrease Memory Usage `di de crashlog read` This command will show you the crashlog of the fortigate `"Kernel exits extreme low memory mode"` looking for that error `diag autoupdate versions` will show the versions of the autoupdates `diag autoupdate versions | grep Attempt -f` this will show the times of autoupdate attempts First thing we can do is disable the automatic security rating report. `config sys global` `set security-rating-run-on-schedule disable` `end` Next we will set the Internet Service Database to only download the in use databases `config sys fortiguard` `set internet-service-database on-demand` `end` follow that with `execute update-ffdb-on-demand` # Technical Tip: Configure FortiGate to restart (reboot) daily [https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-to-restart-reboot-daily/ta-p/191859](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-to-restart-reboot-daily/ta-p/191859) # [Technical Tip: Configure FortiGate to restart (reboot) daily](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-to-restart-reboot-daily/ta-p/191859) **Description** This article describes how to set up FortiGate to reboot daily, at a pre-defined time. **Scope** FortiGate. **Solution** FortiOS firmware allows the user to automate a daily restart (reboot) of the FortiGate, at a pre-defined hour. This is a repeated reboot and it **can be used for a one-time reboot at a predefined hour** (with the mention that it needs to be removed afterward). An alternate option is available in the form of an auto-script that can further fine-tune the reboot, cycle, or add additional commands (from v5.6). From v6.2, a more advanced way can be used - Automation Stitch (FortiOS v6.0 has Automation Stitch, but can only be triggered by an event, and not Scheduled). **Daily restart.** This option is configurable from the CLI as shown in the example below:
**config system global**
set daily-restart enable
set restart-time 05:06
end
**Note**: If no restart-time is specified, the default is 00:00.
Once the restart time is reached, the following message is displayed on the CLI console:
**The system will reboot due to scheduled daily restart. Current time is 05:06**
Syslog message relating to this event:
2024-30-05 05:06:51 log\_id=0104041990 type=event subtype=admin pri=information fwver=040000 vd=root msg="Fortigate started"
The following entry will be logged under the GUI event logs:
2021-10-21 05:06:51 information admin 41990 Fortigate started
**Automation stitch reboot.**
This option presents another level of integration with the operational level of the network.
An action can be triggered based on specific predefined triggers.
In this example, a periodic reboot not triggered by a specific event has been used.
**Note**:
Use short, simple names, and no spaces in the name field.
![Stephen_G_0-1717078630851.png](https://community.fortinet.com/t5/image/serverpage/image-id/45254i85E464353049A239/image-dimensions/699x591?v=v2 "Stephen_G_0-1717078630851.png")
The CLI commands created by this action:
**config system automation-action**
edit "reboot"
set action-type cli-script
set required enable
set script "exec reboot"
set accprofile "super\_admin"
end
**config system automation-trigger**
edit "autoreboot"
set trigger-type scheduled
set trigger-frequency weekly
set trigger-weekday monday
set trigger-hour 20
set trigger-minute 10
next
end
**config system automation-stitch**
edit "auto reboot"
set trigger "autoreboot"
**config actions**
edit 1
set action "rebooot"
set required enable
next
end
end
![image - 2024-11-16T164229.083.png](https://community.fortinet.com/t5/image/serverpage/image-id/63675iDD99B80416307E92/image-dimensions/485x349/is-moderation-mode/true?v=v2 "image - 2024-11-16T164229.083.png")
**Note:** From v7.2 onward, there is a new action type 'system action' which can be used to reboot, shut down, or back up the config of the FortiGate. Refer to this document for more details: [System automation actions to back up, reboot, or shut down the FortiGate.](https://docs.fortinet.com/document/fortigate/7.2.0/new-features/108345/system-automation-actions-to-back-up-reboot-or-shut-down-the-fortigate-7-2-1)
# ackup and restore the VPN configuration for the free FortiClient using the Windows Registry [https://community.fortinet.com/t5/FortiClient/Technical-Tip-Backup-and-restore-the-VPN-configuration-for-the/ta-p/363486](https://community.fortinet.com/t5/FortiClient/Technical-Tip-Backup-and-restore-the-VPN-configuration-for-the/ta-p/363486)
DescriptionThis article describes how to backup and restore the VPN configuration (tunnels, settings, etc.) for the free FortiClient using the Windows Registry.
ScopeFortiClient.
SolutionThe VPN tunnel configuration for the FortiClient is stored within the Windows Registry. It is possible to export the Registry keys from one machine and import them on a different machine. Here there is both an SSL VPN and an IPsec tunnel configured on a free version of FortiClient. ![pc1.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65847iF55C3F80E907090A/image-dimensions/589x468/is-moderation-mode/true?v=v2 "pc1.PNG")These keys are located under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Fortinet\\FortiClient. ![registry.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65848i0BC13A3EA713D69B/image-size/medium/is-moderation-mode/true?v=v2&px=400 "registry.PNG")It is possible to export the FortiClient Registry keys by right clicking on the FortiClient folder, and pressing 'Export'. ![export.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65849i06A7643E0C049B76/image-size/medium/is-moderation-mode/true?v=v2&px=400 "export.PNG")This will create a .reg file which can be run on other PCs to apply the same configuration. ![config.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65852iE92465B28978C5DB/image-size/medium/is-moderation-mode/true?v=v2&px=400 "config.PNG")Here is a new PC that has a fresh installation of the FortiClient. ![newpc.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65850iD4ECB07AE5389EDB/image-dimensions/655x360/is-moderation-mode/true?v=v2 "newpc.PNG")Once that file has been ran and applied to the new PC's registry, those tunnels are visible. ![newpc2.PNG](https://community.fortinet.com/t5/image/serverpage/image-id/65851i42A3E3F46A023DD1/image-dimensions/606x341/is-moderation-mode/true?v=v2 "newpc2.PNG")
# SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4 [https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859](https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859) Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4 Description This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.2.12, v7.4.9 or v7.6.4. Scope FortiGate v7.2.12, v7.4.9, v7.6.4. Solution Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. Note that this also includes the FIPS-CC CVE-Patched builds for FortiOS 7.2, such as FIPS-CC-72-5 and onward. After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC: diagnose debug console timestamp enable diagnose debug application samld -1 diagnose debug enable To stop the debugs: diagnose debug disable diagnose debug reset The following error, 'Signature element not found', will be seen in the debugs on the FortiGate: IDP sig verify is required for response and assertions \_\_samld\_sp\_login\_resp \[833\]: Failed to process response message. ret=101(Signature element not found.) samld\_send\_common\_reply \[92\]: Code: 1, id: 563501, pid: 2470, len: 65, data\_len 49 samld\_send\_common\_reply \[101\]: Attr: 22, 12, e samld\_send\_common\_reply \[101\]: Attr: 23, 37, Signature element not found. samld\_send\_common\_reply \[120\]: Sent resp: 65, pid=2470, job\_id=563501. The user can see the error below ('Firewall Authentication Failed') in the browser: saml1.png f6bbd0f9-f125-481b-96d8-b706fcfcf9c6.png Picture1.png A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%': Captura de pantalla 2025-09-24 175608.png After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing. If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> Select Edit -> SAML Signing Certificate, as shown in the screenshot below: saml3.png This will fix the SAML authentication issue, and users will be able to authenticate successfully. Note for Google IdP users: The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed. When Cisco Duo is used as the Identity Provider (IdP), ensure that both the ‘Sign response’ and ‘Sign assertion’ options are selected as shown in the screenshot below. To configure this: Navigate to: Applications -> Select the SSO Application -> Scroll down to SAML Response settings. Under Signing options, select both: Sign response. Sign assertion. image - 2025-10-07T115553.003.png One potential mitigation strategy involves reverting to a previous firmware version, which may offer more stable performance under current conditions. While it is not a definitive fix, this approach could serve as a temporary workaround until a more permanent resolution is identified. For more information, see this document: Set up your own custom SAML app. Related articles: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel Admin FortiGate FortiGate v7.2 FortiGate v7.6 IPsec SAML SSL-VPN SSO 45314 Contributors # Approved Countries List - Canada - Ireland - Germany - Japan - South Korea Listed as: Korea, Republic of - Switzerland - UK - USA
config firewall address edit "Germany" set type geography set country "DE" next edit "Canada" set type geography set country "CA" next edit "Japan" set type geography set country "JP" next edit "South Korea" set type geography set country "KR" next edit "Switzerland" set type geography set country "CH" next edit "UK" set type geography set country "GB" next edit "USA" set type geography set country "US" next edit "Ireland" set type geography set country "IE" next edit "Australia" set type geography set country "AU" next config firewall addrgrp edit "Trusted Countries" config firewall addrgrp edit "Trusted Countries" set member "Canada" "Germany" "Japan" "South Korea" "Switzerland" "UK" "USA" "Ireland" "Australia" next end
AU Australia CA Canada CH Switzerland DE Germany GB United Kingdom IE Ireland JP Japan KR Korea, Republic of US United States