Users with FSSO integration can directly configure the FSSO groups in the Firewall policies without creating any local group in FortiGate: Directly use FSSO address group in firewall policies | FortiManager 6.2.

config firewall policy
    edit 8
        set name "internet"
        set srcintf "port8"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set nat enable
        set groups "CN=Administrator, CN=Users, DC=Fssotest,DC=com"
    next
end

In version 7.6.1, 7.6.2 or 7.6.3, when trying to open the Firewall policy through the GUI, the group restriction seems to be deselected.

If users modify, for example, a UTM profile through the GUI and save the configuration, the Firewall policy will be saved without the group's restriction.

Without the Group restriction, all users may have the possibility to match the Firewall policy.

Note:

Using the CLI, group restrictions are not deselected.

Workaround:

1. Create a local Group in FortiGate associated with the FSSO group.

FSSO_Group--> "CN=Administrator, CN=Users, DC=Fssotest,DC=com"

2. Configure this group in the Firewall policy:

    

config firewall policy
    edit 8
        set name "internet"
        set srcintf "port8"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set nat enable
        set groups FSSO_Group
    next

With this configuration, when users modify the Firewall policy through the GUI, the FSSO group object will not be deselected.

This is a known issue in version 7.6.1, 7.6.2 and 7.6.3 and is fixed in v7.6.4.

Related article:
Technical Tip: FSSO users is not matching the policy and traffic is getting blocked when 'Collector ...