FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior that can be seen in the presence of FSSO, in which a Replacement Message presented by the FortiGate (For example: Block, Warning, etc) will show the User Name of the user but not the Group Name.
This is the expected behavior when the traffic for the user is allowed by a firewall policy that has no FSSO Group defined on it.
To have the FortiGate Replacement Message show the user Group Name, select an FSSO Group on the firewall policy:
FGT_5-6 # sh user group
config user group edit "DEV-Group" set group-type fsso-service set member "OFFICELAB/DEV" next end
FGT_5-6 # sh firewall policy config firewall policy edit 1 set name "Internet-Access" set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set fsso enable set groups "DEV-Group" set webfilter-profile "default" set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set nat enable next
Note that the FortiGate will show the name of the FSSO Group on the FortiGate that was mapped to the LDAP Group, it will not show the name of the LDAP Group.