Skip to main content
InfoAzi
InfoAzi
New Member
October 24, 2023
Question

Problems with webfiltering applied on security groups

  • October 24, 2023
  • 3 replies
  • 2047 views

Hi all,

I'm having some problems with configuring some policies using webfiltering, on a Fortigate 300E with 7.0.12 firmware version.

I already configured webfiltering and, if I apply it to a "simple" policy (source x destination y) it works good.

Now I have to make it work using LDAP users.

To do this, I added an LDAP server, then I added a user group "Test" that I linked at the security group "Test" (LDAP is working fine, I found it in the list so it is working correctly). .

Then I added the user group to the policy and... the policy gets skipped by the users part of that group.

How can I solve this issue?

Thank you in advance, let me know if it's enough.

Thank you!

3 replies

smayank
Staff
smayank
Staff
October 24, 2023

Hello 

 Please check by running below command

diagnose test authserver ldap LDAP_SERVER user1 password

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fortigate-LDAP/ta-p/196280

InfoAzi
InfoAziAuthor
New Member
October 24, 2023

Hi, I did the test with success, the user can authenticate without problems.

The customer asked to use sso, which was already configured.

So I checked sso configuration and it is good. Then I tried to add the SSO group into the policy, and the result is the same.

Thank you

hbac
Staff
hbac
Staff
October 24, 2023

Hi @InfoAzi,

 

For local users behind the FortiGate, if you want to use LDAP groups, you need to configure FSSO. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FSSO-in-DC-Agent-mode/ta-p/252994https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/450337/fsso

 

Regards, 

InfoAzi
InfoAziAuthor
New Member
October 24, 2023

Hi @hbac ,

I was just saying in the last reply that it was configured. SSO agent is installed on the AD Server and the FSSO Agent on Windows AD Connector is configured on the Fortigate. It already shows the AD Groups. 

There are also the FSSO groups in the user groups field, and I tried to put them into the policy. The result is the same, if I add them, the policy gets skipped. Instead, without them it works..

Thank you for your reply!

hbac
Staff
hbac
Staff
October 24, 2023

@InfoAzi,

 

Do you see users under "Show Logon Users" of the FSSO agent? On the FortiGate, do you see users listed if you run this command "diagnose debug authd fsso list"? FSSO agent needs to send user's information/IP address to the FortiGate first. 

 

Regard,

EyponeDK
EyponeDK
New Member
November 1, 2023

Hi @InfoAzi ,
Did you find any solution for this ? 

I have an identical issues, running with FSSO agenten, and using FSSO groups defined at the firewall.

I have security group blocking "online storage" named "AD-FW-Block-Storage"
The rule have been placed multiple places in the policy but looks like it keeps using the Network as source, and newer consider the ad group.
The firewall can see users are logged in at the firewall with "diagnose debug authd fsso list" .

 

Did you find any solution ?

hbac
Staff
hbac
Staff
November 2, 2023

Hi @EyponeDK,

 

Can you try moving the policy with "AD-FW-Block-Storage" group to the top of the list? You can also check forward traffic logs to see which policy it is matching. 

 

Regards, 

Terms & ConditionsAccessibility statement