Skip to main content
theonlyVishay
theonlyVishay
New Member
August 13, 2025
Question

Forticlient EMS - tag endpoints based on nested AD groups 7.4.0

  • August 13, 2025
  • 1 reply
  • 416 views

Hello,

  • Forticlient: 7.4.3
  • Forticlient EMS: 7.4.3 (Cloud)

 

We are testing configuring firewall rules with ZTNA Tags with an AD Group called "East Coast."

Inside the Group East Coast, we have NY, MD, DE, PA, CT, & MA. So, we have nested groups...
When we go to Forticlient EMS Cloud > Security Posture > Tag Monitor >  East Coast. We do not see any users...

If I add the AD groups one by one (NY, MD, DE, PA, CT, & MA) with the "or" logic, it works...
All the users are under (NY, MD, DE, PA, CT, & MA) and not East Coast.
Is EMS cloud not able to do recursive lookup on LDAP AD groups?

The only thing I could find about it is:
ZTNA AD group lookup rule improvement | FortiClient 7.2.0 | Fortinet Document Library

According to the above link, EMS is not able to do so....

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
August 13, 2025

hi,

created a tag with the condition , AD User in a security group that has another security group in it and worked just fine for me, in my LAB running 7.4.3 EMS(on-prem)/FCT. the system that has that user logged into EMS got the tag assigned and it's visible in TAG Monitor in EMS.

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement