FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbu
Staff
Staff
Article Id 364766
Description This article describes a sample of how to configure multiple wildcard FortiGate Administrators matching different remote LDAP groups, and how to troubleshoot with some considerations in mind.  
Scope FortiGate v7.4.5 and later.
Solution

When FortiOS receives a system login request, it first looks for a system admin account whose name exactly matches the requested name. If it cannot find an exact match, FortiOS will look for a wildcard system admin account.


In this scenario, there are three different admin groups on a remote LDAP server, and those users need to access the FortiGate as Administrators. 

 

wildcard1.png

 

FortiGate configuration:

  • Create User groups.

 

wildcard5.png

 

wildcard4.png

 

  •  Create remote + wildcard Administrators for each remote group.

 

wildcard2.png

 

wildcard3.png

 

 

Troubleshooting and Debugging:

  • From CLI enable the following debugs:

 

diagnose debug application fnbamd -1 

diagnose debug application httpsd  -1 

diagnose debug enable

 

  • Debug sample:

User 'admin3' is part of remote group 'admingroup3' which matches with remote+wildcard admin 'ADMINISTRATOR_3'.

 

Authentication request received:

 

FGT (root) # [httpsd 2546 - 1734257679 info] fweb_debug_init[531] -- New POST request for "/logincheck" from "10.11.31.254:54607"
[httpsd 2546 - 1734257679 info] fweb_debug_init[533] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
[httpsd 2546 - 1734257679 info] fweb_debug_init[535] -- Handler "logincheck-handler" assigned to request
[httpsd 2546 - 1734257679 info] logincheck_handler[427] -- entering vdom for login_attempt (vdom='root')
[1757] handle_req-Rcvd auth req 10935167152129 for admin3 in opt=00014001 prot=9 svc=6
[333] __compose_group_list_from_req-Group 'admin group 3', type 1
[508] create_auth_session-Session created for req id 10935167152129
[590] fnbamd_cfg_get_tac_plus_list-
[425] __fnbamd_cfg_get_tac_plus_list_by_admin-
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-
[613] __fnbamd_cfg_get_ldap_list_by_admin-
[348] fnbamd_ldap_get-vfid=0, name='LDAP'
[551] __ldap_auth_ctx_insert-Loaded LDAP server 'LDAP'
[601] __add_admin_ldap_svr-Loaded LDAP server 'LDAP' for admin user 'ADMINISTRATOR_3'
[348] fnbamd_ldap_get-vfid=0, name='LDAP'

 

Authentication passed matching the correct group:

 

[982] __ldap_next_state-Auth accepted
[1146] __ldap_auth_ctx_reset-
[996] __ldap_next_state-State: Recursive Group Member Query -> Done
[1982] ldap_copy_grp_list-copied CN=admingroup3,CN=Users,DC=testlab,DC=com
[1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testlab,DC=com
[1982] ldap_copy_grp_list-copied CN=Users,CN=Builtin,DC=testlab,DC=com
[627] fnbam_user_auth_group_match-req id: 10939462148097, server: LDAP, local auth: 0, dn match: 1
[206] find_matched_usr_grps-Passed group matching
[2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS

 

Result:

 

[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 10939462148097, len=2720
[httpsd 2547 - 1734257687 info] logincheck_handler[530] -- login attempt OK, VDOM updated to 'root'
[httpsd 2547 - 1734257687 info] logincheck_handler[536] -- login_attempt (method=6, vdom='root', name='admin3',admin_name='ADMINISTRATOR_3', auth_svr='LDAP')

 

  • Example of user 'admin1' successful login. Remote group 'admingroup1' which matches with remote+wildcard admin 'ADMINISTRATOR_1':

 

[982] __ldap_next_state-Auth accepted
[1146] __ldap_auth_ctx_reset-
[996] __ldap_next_state-State: Recursive Group Member Query -> Done
[1982] ldap_copy_grp_list-copied CN=admingroup1,CN=Users,DC=testlab,DC=com
[1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=testlab,DC=com
[1982] ldap_copy_grp_list-copied CN=Users,CN=Builtin,DC=testlab,DC=com
[627] fnbam_user_auth_group_match-req id: 11012479393793, server: LDAP, local auth: 0, dn match: 1
[206] find_matched_usr_grps-Passed group matching
[2553] fnbamd_ldap_result-Result for ldap svr LDAP is SUCCESS
[627] fnbam_user_auth_group_match-req id: 11012479393793, server: LDAP, local auth: 0, dn match: 1
[2561] fnbamd_ldap_result-Passed group matching
[909] update_auth_token_session-config does not require 2fa

[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 11012479393793, len=2720
[httpsd 2564 - 1734258371 info] logincheck_handler[530] -- login attempt OK, VDOM updated to 'root'
[httpsd 2564 - 1734258371 info] logincheck_handler[536] -- login_attempt (method=6, vdom='root', name='admin1',admin_name='ADMINISTRATOR_1', auth_svr='LDAP')

 

Tips and Considerations:

There might be some cases when the user does not match the correct Administrator in FortiGate.

  • Administrators are evaluated in a down approach.
  • The alphabetical order of Administrator names plays a role in how they are matched.
  • Check the group membership of the user, if he is part of more than one 'remote+wildcard' admin then it will match always the first one it finds in the list. In this case, remove a user from the remote group or create an individual admin account (not wildcard).
  • If possible, avoid creating multiple wildcard system admins and create only one admin account as a 'catch-all' after it does not match any individual account.
  • Add or Remove users from the remote group in the LDAP server and create only one admin account with wildcard option enabled. 

 

Note:

If still facing issues with the FortiGate login raise a support ticket and provide the following:

  • FortiGate configuration.
  • Enable the debugs mentioned above.
  • Reproduce the issue.
  • Get output from command: diagnose debug crash log read
  • Upload all the above in the ticket.