FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff
Article Id 220292
Description This article explains how to configure an identity-based firewall policy for specific LDAP users, but without prompting the users for credentials if already logged in to the LDAP server.
Scope

FortiOS and FSSO Agent.

Solution

Method 1:
To implement this, a FSSO setup will be necessary.

Once the users are logged into the domain using the units, the FSSO Collector Agent will grab the information and relay it to FortiGate.

 

Once FortiGate receives the user information, it will not prompt for credentials again.

Usually, it is done by 'User Group' information on the LDAP server.

 

But to configure this, only for certain LDAP users, there is a slight difference in how FSSO is configured.

 

  1. LDAP server integrated with FortiGate.
  2. FSSO Setting, 'User Group Source', set to 'Local'.

 

FSSO Usernames.png

 

It is necessary to play around with the LDAP filter to get what the users want.

Then assign the users directly to firewall policies.

Method 2:
This can also be achieved by using the Poll Active Directory server connector. Refer to this document for more information Poll Active Directory server | FortiGate / FortiOS 7.6.2 | Fortinet Document Library.

After the connector is connected, select 'edit' in 'Users/Groups' and filter the users to be used on FortiGate:

Screenshot 2025-02-10 163316.png

Screenshot 2025-02-10 163408.png