FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rleon
Staff
Staff
Description
This article describes the behavior that can be seen in the presence of FSSO, in which a Replacement Message presented by the FortiGate (For example: Block, Warning, etc) will show the User Name of the user but not the Group Name.

rleon_FD40771_tn_FD40771-1.jpg

This is the expected behavior when the traffic for the user is allowed by a firewall policy that has no FSSO Group defined on it.

Solution
To have the FortiGate Replacement Message show the user Group Name, select an FSSO Group on the firewall policy:

FGT_5-6 # sh user group

config user group
    edit "DEV-Group"
        set group-type fsso-service
        set member "OFFICELAB/DEV"
    next
end

FGT_5-6 # sh firewall policy
config firewall policy
    edit 1
        set name "Internet-Access"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set fsso enable
        set groups "DEV-Group"
        set webfilter-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next

Note that the FortiGate will show the name of the FSSO Group on the FortiGate that was mapped to the LDAP Group, it will not show the name of the LDAP Group.

rleon_FD40771_tn_FD40771-2.jpg

Contributors