NSE4 Part 4: Authentication, FSSO & Certificates

25 April 2026 FortinetNSE4FortiGateAuthenticationFSSOCertificatesSecurityCertification

NSE4 Part 4: Authentication, FSSO & Certificates

Part 4 of the NSE4 series. This post covers Lessons 5 and 7 of the official curriculum — firewall authentication, Fortinet Single Sign-On (FSSO), and certificate operations.

Authentication sources

A FortiGate can authenticate users from four backends, in this order of preference for most deployments:

SourceUse case
LocalSmall site, lab, break-glass admin
LDAPActive Directory or generic LDAP, password verification only
RADIUSLDAP backend + MFA (RSA, Duo), or VPN integration
TACACS+Mostly used for admin AAA, not user firewall auth

Local user creation:

config user local
    edit "alice"
        set type password
        set passwd ********
    next
end

LDAP server:

config user ldap
    edit "AD"
        set server 10.10.1.10
        set cnid "sAMAccountName"
        set dn "dc=corp,dc=local"
        set type regular
        set username "CN=ldap-bind,..."
        set password ********
    next
end

User groups are the unit of policy enforcement, not individual users. A group can contain local users, LDAP users via filter, RADIUS attributes, or FSSO-mapped Active Directory groups.

Captive portal

When a firewall policy lists a user group but the source isn’t yet authenticated, the FortiGate intercepts HTTP/HTTPS and redirects to a captive portal. Configure on the interface or per policy:

config firewall policy
    edit 10
        set users "students"
        set groups "internet-users"
    next
end

For HTTPS interception the FortiGate needs a server certificate the client trusts — usually a public ACME cert if the portal hostname is internet-resolvable, or the FortiGate built-in certificate if you accept the cert warning.

Two-factor authentication

Two FortiOS-native 2FA paths come up:

  • FortiToken — TOTP token (mobile or hardware) bound to a user; activation via email or QR.
  • Email / SMS code — one-time code sent at logon.

Enable on a local user:

config user local
    edit "alice"
        set two-factor email
        set email-to "[email protected]"
    next
end

For RADIUS-based MFA (Duo, RSA, etc.), 2FA happens upstream — the FortiGate just relays the RADIUS challenge.

Fortinet Single Sign-On (FSSO)

FSSO learns who is using which IP and pushes that mapping to the FortiGate so the user appears on policies without a captive portal prompt. There are three collection modes you must know:

ModeHow it learns
Collector Agent + DC AgentA DLL on each domain controller streams logon events to a collector service, which pushes mappings to FortiGate. Most accurate.
Collector Agent + PollingThe collector polls each DC’s Security event log via WMI/WinRM. Easier to deploy, slightly delayed.
Agentless polling (FortiGate-direct)The FortiGate itself polls DCs. No Windows install required, but limited to small environments.

The collector listens on TCP/8000 by default and the FortiGate connects to it:

config user fsso
    edit "fsso-collector"
        set server 10.10.1.20
        set password ********
    next
end

FSSO groups are mapped from AD security groups. The FortiGate sees the mapped groups via:

diagnose debug authd fsso server-status
diagnose debug authd fsso list

The exam likes asking how a user appears in policies after first login, after group membership change, and after logoff — the answer is “as soon as the collector is told, with the configured group cache TTL”.

Certificate operations

A FortiGate is a participant in three certificate roles:

  1. Server cert — presented for HTTPS admin, SSL VPN portal, captive portal.
  2. CA store — trust anchors for verifying remote endpoints (LDAPS, FortiGuard, etc.).
  3. Inspection CA — the CA used to re-sign server certs during deep SSL inspection.

Manage under System → Certificates. CLI:

config vpn certificate ca
    edit "internal-root"
        set ca "<paste PEM>"
    next
end

SSL/SSH inspection profiles

Two modes for HTTPS inspection on policies:

  • Certificate inspection — the FortiGate reads the SNI and certificate from the TLS handshake but does not decrypt. Enough for web filtering by category. No client cert install needed.
  • Deep inspection (full SSL inspection) — the FortiGate intercepts the TLS session, presents its own re-signed cert to the client, and decrypts. Required for AV, app control on encrypted traffic, DLP. Clients must trust the FortiGate’s inspection CA.
config firewall ssl-ssh-profile
    edit "deep-inspection"
        config https
            set ports 443
            set status deep-inspection
        end
    next
end

Common pitfalls the exam targets:

  • Apps that pin certificates (banking, some mobile apps) break under deep inspection — exempt by hostname or category.
  • The inspection CA must be deployed to clients via GPO, MDM, or manual install — otherwise every HTTPS site shows a cert warning.
  • HSTS preloaded sites still validate even if the FortiGate cert chains correctly.

Part 5 covers logging, monitoring, and the diagnostics commands you actually use during the exam labs.