FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 306360

This article describes why FSSO user do not match firewall policy even though the connector is UP. Here you can see 50+ Users/groups have been populated and used in the firewall policy.


FSSO CA Connector StatusFSSO CA Connector Status


Below is the firewall policy source user from FSSO:


Firewall Policy with Adv mode.PNG


However, the user is not matching this policy.

Scope FortiGate, SSO.

Verify the AD Access mode on the FSSO CA. There are two option which are Standard and Advanced:


AD access modeAD access mode


If the mode is Standard, the format would be Windows convention: Domain\Group.

If the mode is Advanced, the format would be LDAP convention: CN=User,OU=Name,DC=Domain


In the above firewall policy, it is using LDAP convention thus the mode in the FSSO CA needs to be Advanced. If the mode and filter on the Fortigate mismatch the firewall policy would not match.


The issue usually happens when a user makes changes to the AD mode access method.

Once the AD access mode being changed, select 'Apply' on the FSSO Collector Agent for the change to take effect.