DescriptionWhen configuring FSSO, administrators have the ability to specify which user groups will be monitored by FSSO.
The Group Filter can be defined either locally on FortiGate or directly on FSSO Collector Agent.
While in general the group filter should be defined locally on FortiGate, there are situations where the group filter needs to be defined on the FSSO Collector Agent.
The most common use cases for group filter defined on Collector Agent are:- FortiGate does not have connectivity to LDAP server.- The Collector Agent will be serving many FortiGates, each with identical group filter. This article describes how to correctly configure Group Filter on Collector Agent.Solution1) Open FSSO Collector Agent Configuration Utility.
2) Select 'Set Group Filter' button.
3) Select 'Add...' button to create a new group filter.
4) Type the Serial Number and VDOM name of the FortiGate into the FortiGate Serial Number field. This value must be specified in format <SN>-<VDOM>.Note: VDOM name 'root' has to bbe specified even when VDOM functionality is not enabled on the target FortiGate.
See bellow screenshot for example.
5) Select 'Advanced...' button to open LDAP tree browser.
6) Select user groups to monitor by FSSO and confirm the selection by selecting 'Add selected user groups' .Note: It is necessary to select the Organizational Units icons in order to expand the LDAP tree.
7) To reflect the change on FortiGate, navigate to Security Fabric -> External Connectors > [the FSSO Collector] , ensure the User group source is set to Collector Agent and select 'Apply&Refresh' button.Screenshots for reference:
Apart from the GUI, the group filter can also be verified in the CLI with command '# show user adgrp' .