Injecting SSL VPN Logons in FAC/FSSO through Syslog

Injecting SSL VPN Logons in FAC/FSSO through Syslog

I've been recently making some testing's with possible ways of interacting with the Syslog SSO agent present within the FortiAuthenticator appliance. The idea here is to possibly gather and inject users and their "client IP" within the FSSO scheme, this gathered through Syslog.

You'll need a few settings enabled on the FAC Appliance, 1st make sure that within Fortinet SSO Methods>SSO>General --> turn on Syslog SSO:

Once this is done at the FAC level, we will need to ship syslogs from our FortiGate's of interests (your SSL VPN concentrators). To do so and since FortiOS 6.4.2 you're able to override your syslogs settings and this per vDOMs.

As usual in my deployments schemes, any VPNs (IPsec/SSL) are terminated within a dedicated vDOM seated in what I'd refer to as a backend vDOM (behind any WAN vDOM potentially hosting SD-WAN/P-Routes).

Here are the few CLI's you'd need in order to setup syslog's hammering (if sent without filtering) toward your FAC appliance:

config log syslogd override-filter
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set filter "logid(0101039424,0101039425)"

config log syslogd override-setting
    set status enable
    set server ""
    set facility auth
    set source-ip "your.vdom.source.ip"

As seen above, I'm filtering the syslog traffic sent, here sending only the "ssl-web tunnel up" and the "ssl-web tunnel down" log IDs. Below you'll find a few log id's I've compiled while testing this scheme:

logid="0101039424" = ssl-web tunnel up
logid="0101039425" = ssl-web tunnel down
logid="0101039947" = DTLS tunnel established 
logid="0101039948" = tunnel-down / lost connection

Once our FortiGate has been setup to ship Syslog's towards our FAC appliance, we will need a few customs settings in order to process these information's at the FAC layer:

Within Fortinet SSO Methods>SSO>Syslog Sources, we'll need to setup our FortiGate(s) sending Syslog's:

The Matching Rule has to be created, FAC support's out of the box some Syslog's matching rule although here we'll need custom controls:

Below a "text" version of the above rule:

!!! mind the SPACE char at the end !!!
SSL VPN tunnel up
SSL VPN tunnel down

Once this in place, you'll find your SSL VPN users within your FSSO Scheme and here is an edited fac/debug/syslog_sso output:

<38>date=2021-03-09 time=17:48:58 devname="EDITED" devid="FGTxxxxxx" eventtime=1615308539311806899 tz="+0100" logid="0101039424" type="event" subtype="vpn" level="information" vd="vVPN" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-web" tunnelid=EDITED remip=X.X.X.X user="USER" group="GROUP" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"
03/09/2021 17:48:59 Extracted IP based on 'remip={{:client_ip}} ': X.X.X.X
03/09/2021 17:48:59 Extracted user based on 'user="{{:username}}" ': USER
03/09/2021 17:48:59 Extracted group based on 'group={{:group}}': "GROUP" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"
03/09/2021 17:48:59 Login from 'X.X.X.X' (IPv6=''), user 'USER', group '"GROUP" dst_host="N/A" reason="login successfully" msg="SSL tunnel established"'

Now onto SSL VPN Web Portal logons, this won't really serve many purposes, the remote-ip information will always embed the remote user public IP, which will most probably be Source NAT'ed within your premises.

Nevertheless, this is provided here as some guide lines in order to gather SSO logons through Syslog's. You're absolutely free to update your matching selectors in your rules, shipped log ID's etc.

Hope you find that useful.


Image Credits: Interstellar (film) / The TARS tactical robot / Warner Bros.

Show Comments