Skip to main content
emtee
emtee
New Member
June 13, 2019
Question

FSSO - AD polling vs SSO Agent

  • June 13, 2019
  • 1 reply
  • 4064 views

Hi,

 

Setting up my first fortigate 101e v6.0. I have everything setup and working, firewall rules, static routes, SD-WAN. But cannot get the AD polling to work.

 

Does anyone actually use AD polling or is using the fortinet SSO agent the more used standard? What is the benefit of using the sso agent? We have a relatively small environment. 2 DC's 250 users.

 

Under security fabric > fabric connecotrs > poll ad server option i have configured this to connect to my AD - no issues. I've added the users/groups. Added them to my IPv4 Policies - but the policies never match.

 

Under Firewall User Monitor - i can see users logging on.

 

The rule is incredible basic. If user a member of facebook_allow group then allow facebook.

 

 

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    June 13, 2019

    Hi, your traffic is probably hitting some non-identity based policy and so flowing unauthenticated or even not matching your policy completely. Keep in mind that since 5.1 IP based policies has precedence over those Identity based. Use basic tools like session list and flow debug to find out.

    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038

     

    emtee
    emteeAuthor
    New Member
    June 13, 2019
    Thanks I'll take a look at this. It is matching the rule below this which is to block Facebook. However this is just set for the entire subnet and is not user/group specific.
    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    June 13, 2019

    it should not be needed to explicitly block facebook .. keep in mind that FortiGate is 'implicit deny' typo of firewall.

    And so all the policies are positive exemptions to this deny everything rule.

    Having identity based policy to allow facebook to some authenticated users and letting  every one else fall to implicit deny should be enough.

     

    As I wrote before, IP based policies are searched first, so if you have one policy to deny facebook, all the users will hit that first, and there will be no attempt to hit identity based policy.

    Terms & ConditionsAccessibility statement