Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bpozdena_FTNT
Staff
Staff

Created on ‎05-27-2021 08:34 AM Edited on ‎11-25-2025 04:55 AM By Moderator

Article Id 197584

Technical Tip: FSSO Group Filter configured on Collector Agent

Description

 

This article describes how to correctly configure Group Filter on Collector Agent.

When configuring FSSO, administrators have the ability to specify which user groups will be monitored by FSSO.

The Group Filter can be defined either locally on FortiGate or directly on FSSO Collector Agent.
While in general the group filter should be defined locally on FortiGate, there are situations where the group filter needs to be defined on the FSSO Collector Agent.
The most common use cases for group filters defined on Collector Agent are:

 

  • FortiGate does not have connectivity to the LDAP server.
  • The Collector Agent will be serving many FortiGates, each with an identical group filter.

 

Scope

 

FortiGate.


Solution

 

  1. Open FSSO Collector Agent Configuration Utility.

  2. Select the 'Set Group Filter' button.

  3. Select the 'Add...' button to create a new group filter.

  4. Type the Serial Number and VDOM name of the FortiGate into the FortiGate Serial Number field. This value must be specified in format <SN>-<VDOM>.

 

Note: The VDOM name 'root' has to be specified even when VDOM functionality is not enabled on the target FortiGate.
As an example, a FortiGate that has VDOMs b must be entered as '<serial-number>-root', for example 'FGVM0000000001-root'.

 

A FortiGate that has VDOMs enabled must be entered as '<serial-number>-<vdom>', for example 'FGVM0000000001-dmz', with an entry for each VDOM that should use the Collector Agent.


See the screenshot below for an example.

  1. Select the 'Advanced...' button to open the LDAP tree browser.

  2. Select user groups to monitor by FSSO and confirm the selection by selecting 'Add selected user groups'.
    Note: It is necessary to select the Organizational Units icons in order to expand the LDAP tree.

  3. To reflect the change on FortiGate, navigate to Security Fabric -> External Connectors -> [the FSSO Collector], ensure the User group source is set to Collector Agent, and select the 'Apply&Refresh' button.

    Screenshots for reference:

 
 
 
Note:
There is a limitation of 1024 User/Groups in FSSO Agent on DC, from Windows itself: What is the maximum number of security groups a user can be a member.
 
Due to this, Group filtering is performed to optimize FSSO resources and ensure correct reading of users who have service on the groups that are placed in the filter.

Validation.
Apart from the GUI, the group filter can also be verified in the CLI with the command 'show user adgrp'.
 
20591
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.