FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
jkoay
Staff
Staff
Article Id 197643

Description


This article describes how to configure LDAP system administrators in FortiManager for FortiGate.

 

Scope

 

FortiManager, FortiGate.

Solution

 

  1. Enter the specific ADOM created for the FortiGate device. Go to Policy & Objects -> Object Configurations -> User & Device -> LDAP Servers. Make sure that the LDAP server is correctly configured:

 
 
  1. Go to User & Device -> User Groups to create a new user group. Give it a name with 'Firewall' as the type, and add the Remote Authentication Servers pointing to the LDAP server that was added in step 1:

     
    Select Create New to add the new Remote Authentication Server. 'Right-click' on the group to add it to the selection and select OK:
     

     
  2. Go to Device Manager -> Managed Devices. 'Right-click' on the managed device and select Refresh Device:
     
     
     
  3. Select Install Wizard to push new user groups and LDAP server to the FortiGate. Select Install Policy Package & Device Settings, then select Policy Package:
     
     
     
  4. Select Policy Package Diff to check if the new user group and LDAP server configuration are being pushed to the device:
     
     
     
    Select Install to continue:
     
     
     
  5. Once the device is refreshed, select the device on the bottom left panel and select Display Options. Select Administrators and confirm the selection with OK:
     
     
     
  6. Hover the cursor over System: Dashboard and select Administrators:
     
     
     
  7. Select Create New to add a new administrator. Provide an administrator name, choose the 'Match all users on remote server group' type, select Admin profile, and select the Remote User Group that was created earlier:
     
     
     
  8. Select Install Wizard to install the latest configuration on the FortiGate:
     
 
 
Below is an example of the expected results:
 

 

 

Troubleshooting.

 

The following diagnostic commands can be used for live debugging while reproducing the login issue:

 

diag debug application fnbam 255  <- Up to version 6.4.2

diag debug application auth 255   -> From version 6.4.3

 

Note:

It is important to allow the communication between the FortiManager and the LDAP server.
When creating the User Group and selecting the 'Remote Authentication Server', FortiManager probes a TCP SYN packet using port 389 or 636 to the LDAP.
If communication is not allowed and the TCP 3-way Handshake cannot be established, there is no way to talk to LDAP and configure properly the User Group.