FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 220292
Description This article explain how to configure identity based firewall policy for specific LDAP users, but without prompting the users for credential if they already login into LDAP server

FortiOS version 6.4.8.

FSSO Agent 5.0.0304.


To implement this, a FSSO setup will be necessary.

Once users logged into the domain using the units, FSSO Collector Agent will grab the information and relay it to FortiGate.


Once FortiGate receives the user information, it will not prompt for credential again.

Usually it is done by 'User Group' information on LDAP server.


But to configure this, only for a certain LDAP users, there is a slight difference on how FSSO is configures.


1) LDAP server integrated with FortiGate.

2) FSSO Setting, 'User Group Source', set to 'Local'.


FSSO Usernames.png


It is necessary to play around with LDAP filter to get the users wanted.

Then assign the users directly into firewall policies.