Description
This article describes how to correctly configure Group Filter on Collector Agent.
When configuring FSSO, administrators have the ability to specify which user groups will be monitored by FSSO.
The Group Filter can be defined either locally on FortiGate or directly on FSSO Collector Agent.
While in general the group filter should be defined locally on FortiGate, there are situations where the group filter needs to be defined on the FSSO Collector Agent.
The most common use cases for group filters defined on Collector Agent are:
- FortiGate does not have connectivity to the LDAP server.
- The Collector Agent will be serving many FortiGates, each with an identical group filter.
Scope
FortiGate.
Solution
- Open FSSO Collector Agent Configuration Utility.
- Select the 'Set Group Filter' button.
- Select the 'Add...' button to create a new group filter.
- Type the Serial Number and VDOM name of the FortiGate into the FortiGate Serial Number field. This value must be specified in format <SN>-<VDOM>.
Note: VDOM name 'root' has to be specified even when VDOM functionality is not enabled on the target FortiGate.
See the screenshot below for an example.
- Select the 'Advanced...' button to open the LDAP tree browser.
- Select user groups to monitor by FSSO and confirm the selection by selecting 'Add selected user groups'.
Note: It is necessary to select the Organizational Units icons in order to expand the LDAP tree.
- To reflect the change on FortiGate, navigate to Security Fabric -> External Connectors > [the FSSO Collector], ensure the User group source is set to Collector Agent, and select the 'Apply&Refresh' button.
Screenshots for reference:
Due to this, Group filtering is performed to optimize FSSO resources and ensure correct reading of users who have service on the groups that are placed in the filter.
Validation.
Apart from the GUI, the group filter can also be verified in the CLI with the command 'show user adgrp'.