FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Article Id 197584

Description

 

This article describes how to correctly configure Group Filter on Collector Agent.

When configuring FSSO, administrators have the ability to specify which user groups will be monitored by FSSO.

The Group Filter can be defined either locally on FortiGate or directly on FSSO Collector Agent.
While in general the group filter should be defined locally on FortiGate, there are situations where the group filter needs to be defined on the FSSO Collector Agent.
The most common use cases for group filters defined on Collector Agent are:

 

  • FortiGate does not have connectivity to the LDAP server.
  • The Collector Agent will be serving many FortiGates, each with an identical group filter.

 

Scope

 

FortiGate.


Solution

 

  1. Open FSSO Collector Agent Configuration Utility.

  2. Select the 'Set Group Filter' button.

  3. Select the 'Add...' button to create a new group filter.

  4. Type the Serial Number and VDOM name of the FortiGate into the FortiGate Serial Number field. This value must be specified in format <SN>-<VDOM>.
    Note: VDOM name 'root' has to be specified even when VDOM functionality is not enabled on the target FortiGate.
    See the screenshot below for an example.

  5. Select the 'Advanced...' button to open the LDAP tree browser.

  6. Select user groups to monitor by FSSO and confirm the selection by selecting 'Add selected user groups'.
    Note: It is necessary to select the Organizational Units icons in order to expand the LDAP tree.

  7. To reflect the change on FortiGate, navigate to Security Fabric -> External Connectors > [the FSSO Collector], ensure the User group source is set to Collector Agent, and select the 'Apply&Refresh' button.

    Screenshots for reference:

 
 
 
Note:
There is a limitation of 1024 User/Groups in FSSO Agent on DC, from Windows itself: What is the maximum number of security groups a user can be a member.
 
Due to this, Group filtering is performed to optimize FSSO resources and ensure correct reading of users who have service on the groups that are placed in the filter.

Validation.
Apart from the GUI, the group filter can also be verified in the CLI with the command 'show user adgrp'.