FSSO groups can be used in a policy by either adding them to the policy directly, or by adding them to a local user group and then adding the group to a policy.
To add the FSSO groups directly to a firewall policy.
1) Go to Policy & Objects -> IPv4 Policy.
2) Select 'Create New'.
3) Select the Source field.
4) In the Select Entries pane, select the User tab.
5) Select the FSSO groups.6) Configure the remaining settings as required.
7) Select 'OK'.
If an authenticated AD user cannot access the internet or pass the firewall policy, verify the local FSSO user list:# diagnose debug authd fsso list1) Check that the group in MemberOf is allowed by the policy.
IP: 10.1.100.188 User: test2 Groups: CN=group2,OU=Testing,DC=Fortinet-FSSO,DC=COM Workstation:
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
- The FortiGate missed the log in event, which can happen if many users log in at the same time.
- The user's workstation is unable to connect to the DC, and is currently logged in with cached credentials, so there is no entry in the DC security event log.
3) If there are no users in the local FSSO user list.
- Ensure that the local FSSO agent is working correctly:# diagnose debug enable- Verify the Active Directory connection status:
# diagnose debug authd fsso server-status
Server Name Connection Status Version Address
Local FSSO Agent connected FSAE server 1.1 127.0.0.1
=======> The connection status must be connected.# diagnose debug fsso-polling detail 1If the polling frequency shows successes and failures, that indicates sporadic network problems or a very busy DC.
AD Server Status (connected):
read log eof=1, latest logon timestamp: Fri Jul 26 10:36:20 2019
polling frequency: every 10 second(s) success(274), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
LDAP status: connected
Group Filter: CN=group2,OU=Testing,DC=Fortinet-
If it indicates no successes or failures, then incorrect credentials could be the issue.
If the LDAP status is connected, then the FortiGate can access the configured LDAP server.This is required for AD group membership lookup of authenticated users because the Windows security event log does not include group membership information.
The FortiGate sends an LDAP search for group membership of authenticated users to the configured LDAP server.
FortiGate adds authenticated users to the local FSSO user list only if the group membership is one of the groups in Group Filter.
4) If necessary, capture the output of the local FortiGate daemon that polls Windows Security Event logs:# diagnose debug application fssod -1
# diagnose debug application fsso_ldap
# diagnose debug application authd -1