| Solution | There is a user named twtac1 belonging to the user group TONYg and using FortiProxy as a proxy.  config user group
edit "TONYg"
set member "10.1.212.116"
config match
edit 1
set server-name "10.1.212.116"
set group-name "CN=twtacgroup,CN=Users,DC=tac2016,DC=local"
next
end
next
end The user in the LDAP group twacgroup will match the user group TONYg. - Check user in twtacgroup by ldap-search.
diagnose test authserver ldap-search 10.1.212.116 389 "dc=tac2016,dc=local" cn twtac1 twtac123 0 '(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=twtacgroup,cn=users,dc=tac2016,dc=local))' 2
searching 'dc=tac2016,dc=local, cn=cn' on 10.1.212.116:389 for (twtac1, twtac123), secure(0), filter((&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=twtacgroup,cn=users,dc=tac2016,dc=local))), flag(0x2), page_no(0)...
CN=twtac1,CN=Users,DC=tac2016,DC=local (twtac1, 0 entries)
CN=twtac2,CN=Users,DC=tac2016,DC=local (twtac2, 0 entries)
2 entries returned -
Check the group match of user twtac1 in WAD. diagnose wad user list ID: 8, VDOM: root, IPv4: 10.1.212.102
user name : twtac1@tac2016.local
worker : 2
duration : 302 seconds
auth_type : IP
auth_method : NTLM
pol_id : 1
g_id : 2
user_based : 0
expire : in 545 seconds
LAN:
bytes_in=96068 bytes_out=4300127
WAN:
bytes_in=14933 bytes_out=6168 diagnose debug enable (Starting from FortiProxy 7.4.11, can filter the user for the WAD output by diagnose wad user filter) diagnose wad user filter twtac1 (diag test app wad 220x <worker_id>) worker : 2 diagnose test application wad 2202 Set diagnosis process: type=worker index=2 pid=1690 diagnose test application wad 110 users:
[1] user:twtac1@tac2016.local@10.1.212.102(0x7f7636ce15c8), upn_domain=, type:IP, vf:0, ref:1, ntlm:0, has
_fsae:0 active_auth:1 tp_proxy_auth:0 guest:0 fw:0
user:1(0x7f7636da9898), ip:1(0x7f76316e6640), scheme=2, auth=yes, tfa=no, timeout:~505, id:8
time: create=342 access=266 auth=342 traffic=95
out_ip=0.0.0.0 out_ipv6=:: ftp_out_ip=0.0.0.0
concurrent user limit: 65536 lifetime=342s, creation time:Tue Mar 17 20:45:46 2026 licensed session count 0
local_ldap_cache_gen: 14
global_ldap_cache_gen: 16
ldap_query_object: 0x7f7636dd0790
membership_type=1 number=5 srv/is_ldap/is_machine=10.1.212.116/1/0:
[member 1 len=39]: cn=users,cn=builtin,dc=tac2016,dc=local
[member 2 len=44]: cn=domain users,cn=users,dc=tac2016,dc=local
[member 3 len=42]: cn=twtacgroup,cn=users,dc=tac2016,dc=local
[member 4 len=44]: cn=sslvpn-group,cn=users,dc=tac2016,dc=local
[member 5 len=6]: twtac1
grp matched num:1
grp id:2, ms_id:2
blackout users:
global concurrent user limit: 65536
Total allocated user:1 stale_count:0, in_list=1
Total shared user count:2, shared user quota:128000, form_auth_keepalive=0,active=1
IA seat used: 0, purchased: 250, max: 250
Timeout: keep-alive-mode=0(600 sec), lifetime=disable(0 min)
Deprecated. Please use "diag wad stats usr_info.usr_info_self" for user info client stats. diagnose test application wad 101 ---Wad: src-affin=1 chld_cnt=0 workers=4 ssl-min-ver=3 cert-mgmt=0 f-disk=0 ----
gen: conf=0 addr=0 inform=0 cache=0
consev:mode=41 wad=2 sys=1 mem=0
av: f-mode=1 f-open=0 f-load=0 bypass=0
ips: need=1 svc_need=1 f-open=0
conn: cs=0 db=0 fch=0 inform=0
cache: wc=0 dd=0 csvc-cs=0 csvc-db=0 csvc-fch=1
user: 1 shared-user/quota=1/128000 concur-cnt/action=65536/0 ---vf_id=0[ref=4 gen=17] pol-cnt=1 s-fail=0 ----
gen: pol=22 sec-grp=4 sec-attr=1 sec-child=5
webproxy=2 wanopt=0 auth-rule=25
usr=4 usrgrp=3 fw-user=4 zone=0 ssl-cert=3 cert-attr=0
url=0 youtube=0 ssh=0 cifs=0 icap=0 krb=4
ml-detection=2 rt-version=1
flags: webcache=0/0 wf-admin-ovrd=0 user-cat=0 inet-svc=0
tp-mode=0 insp-mode=0 tp-fwdsvr=0 addr_post_arg=0
rt-isdb=0 rt-policy=0 pol-rt=0
auth.addr/ext-cat/ext-ip/=0/0/0
vd=root ca = Fortinet_CA_SSL, cert=Fortinet_Factory
vd=root webproxy wp_flags=0x40000
----vf_id=0 polid=1 ref=1 gen=22/22 pol=0x7f7637e45fc0 sec=0x7f7636df1d88----
uuid_idx: 15742
connection policy: no
zone(1) to: port1
src address
all matches any ipv4
dst address
all matches any ipv4
application
no applications defined
url-category
cate=[]
service: need app_info (no)
proto:15 src:0-65535 dst:0-65535
web cache(http/https/reverse_cache): disabled/disabled/disabled
webproxy profile: nil
negations: src no, dst no, services no
need l7 match: no
Stats: client: 1703259/28502, server: 30528230/1881813, active: 0
id-based, auth-rmsg-ovrd-grp:
log: traffic=yes utm=yes start=no http=yes extended=yes
schedule: always(always=1)
sec-profile '[@_single_@]' (ref=1,gen=1,5,22/4#1,5): ssh_tun_policy=0,alpn=3
rmsg_groups proto= AV= dlp= spam= web= file=N/A video=N/A
proto 0. 'default ' ref=0 in_tree=0 gen=3/3
dio 0. 'custom-deep-inspection' ref=2 in_tree=1 gen=2/2
groups:
name: TONYg id: 2 type: 0
member 0: 10.1.212.116
match 0: svr/ldap=10.1.212.116/1 grp=cn=twtacgroup,cn=users,dc=tac2016,dc=local
grp num:1
grp id:2, grp_idx:0
usr grps:
name: Guest-group, ref_cnt: 1, gen: 3, vf_id: 0, id: 1, rem_user=0
name: TONYg, ref_cnt: 2, gen: 3, vf_id: 0, id: 2, rem_user=0
name: SSO_Guest_Users, ref_cnt: 2, gen: 3, vf_id: 0, id: 16777215, rem_user=0
Dev address
vf=0,ref=1,id=2, name=EMS_ALL_UNKNOWN_CLIENTS
vf=0,ref=1,id=1, name=EMS_ALL_UNMANAGEABLE_CLIENTS
Loaded internet service apps:0
Ignored internet service apps:0 diagnose test application wad 2500 Set diagnosis process: type=user-info index=0 pid=1676 diagnose test application wad 159 uname=twtac1,pwd=no,vd=root ldap=10.1.212.116,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Tue Mar 1
7 20:50:46 2026
user id=2, refresh_time=Tue Mar 17 20:50:46 2026
user dn=CN=twtac1,CN=Users,DC=tac2016,DC=local
sid:S-1-5-21-1369660952-2070497371-264238279-1113 name=CN=twtacgroup,CN=Users,DC=tac2016,DC=local
sid:S-1-5-21-1369660952-2070497371-264238279-1108 name=CN=SSLVPN-Group,CN=Users,DC=tac2016,DC=local
sid:S-1-5-21-1369660952-2070497371-264238279-513 name=CN=Domain Users,CN=Users,DC=tac2016,DC=local
sid:S-1-5-32-545 name=CN=Users,CN=Builtin,DC=tac2016,DC=local Total list 1 users, total list 4 groups. -
Command to de-authenticate user twtac1 in WAD. diagnose wad user clear <ID> <IP|IPv6> <VDOM> Example: ID : 8 IP : 10.1.212.202 VDOM : root diagnose wad user clear 8 10.1.212.102 root |
