Description |
This article describes why FSSO user do not match firewall policy even though the connector is UP. Here you can see 50+ Users/groups have been populated and used in the firewall policy.
Below is the firewall policy source user from FSSO:
However, the user is not matching this policy. |
Scope | FortiGate, SSO. |
Solution |
Verify the AD Access mode on the FSSO CA. There are two option which are Standard and Advanced:
If the mode is Standard, the format would be Windows convention: Domain\Group. If the mode is Advanced, the format would be LDAP convention: CN=User,OU=Name,DC=Domain
In the above firewall policy, it is using LDAP convention thus the mode in the FSSO CA needs to be Advanced. If the mode and filter on the Fortigate mismatch the firewall policy would not match.
The issue usually happens when a user makes changes to the AD mode access method. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.