| Description | This article describes that using FSSO, it is quite straightforward to use AD groups in policies, however, sometimes it is needed to permit only specific users rather than the whole AD group. This article will explain how to achieve it. |
| Scope | FortiGate. |
| Solution |
To achieve using FSSO users in the policy, there are below pre-requirements. FSSO should be configured in advanced mode. See the information in FSSO operation mode below article: Technical Tip: How to switch FSSO operation mode from Standard Mode to Advanced Mode
Configuration steps will slightly be different for the use cases below :
Below, both scenarios will be covered:
Configure User group source as Collector agent or local in Security Fabric -> External Connector -> FSSO Agent.
 In this case, group filters should be configured on the collector agent. For example, if it is desired to allow to 'client1' user specifically, then it is necessary to enter the filter as DN of 'client1' via the collector agent like below:
Note: On Collector Agent, it is impossible to choose a specific user via selecting 'Advanced' in the screen above and browsing through the LDAP tree. It is necessary to write the DN of the user manually as a filter for the specific users. It is possible to use the Advanced button if desired to create a filter for AD groups.
Once the above filter is applied, it will display the group & user information on the FortiGate under Security Fabric -> External Connector -> FSSO Agent -> View Connector Objects:
Once, in this phase, it is possible to use Client1 as a user object in the policies:
Note: The Firewall policy will use AND operation between source IP addresses and the FSSO group.
In this case, the user group source is local, from the AD server configured on the FortiGate:
In the above screen, select Edit, browse through the groups and users desired to be monitored for logins, and add it to the Selected tab. Below, 'client1' and 'Group10' are selected:
It is possible to observe that this filter will be sent to the collector agent automatically once applied: Afterward, both 'client1' and 'Group10' can be used in the policies:
It can be observed from the forward traffic log that the 'client1' user will be permitted once added to the policy for both cases : date=2024-08-26 time=05:05:00 eventtime=1724673900833743387 tz="-0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.195.33.50 srcport=51868 srcintf="port1" srcintfrole="undefined" dstip=20.90.152.133 dstport=443 dstintf="port10" dstintfrole="undefined" srccountry="Reserved" dstcountry="United Kingdom" sessionid=10475 proto=6 action="accept" policyid=2 policytype="policy" poluuid="2ae12da2-e64b-51eb-9aeb-3e27cc6ed2b4" policyname="temp" user="CLIENT1" authserver="CollectorAgent" service="HTTPS" trandisp="snat" transip=192.168.0.1 transport=51868 duration=1200 sentbyte=3450 rcvdbyte=6079 sentpkt=19 rcvdpkt=15 appcat="unscanned" sentdelta=179 rcvddelta=209 |
