Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎08-08-2022 10:51 PM

Article Id 220292

Technical Tip : How to allow traffic from specific LDAP user without asking for login credential

Description This article explain how to configure identity based firewall policy for specific LDAP users, but without prompting the users for credential if they already login into LDAP server
Scope

FortiOS version 6.4.8.

FSSO Agent 5.0.0304.
Solution

To implement this, a FSSO setup will be necessary.

Once users logged into the domain using the units, FSSO Collector Agent will grab the information and relay it to FortiGate.

 

Once FortiGate receives the user information, it will not prompt for credential again.

Usually it is done by 'User Group' information on LDAP server.

 

But to configure this, only for a certain LDAP users, there is a slight difference on how FSSO is configures.

 

1) LDAP server integrated with FortiGate.

2) FSSO Setting, 'User Group Source', set to 'Local'.

 

FSSO Usernames.png

 

It is necessary to play around with LDAP filter to get the users wanted.

Then assign the users directly into firewall policies.

 

3595
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.