FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
jkoay
Staff
Staff
Article Id 197643

Description


This article describes how to configure LDAP system administrators in FortiManager for FortiGate.

Solution


1) Enter the specific ADOM created for the FortiGate device. Go to Policy & Objects -> Object Configurations -> User & Device -> LDAP Servers. Make sure that the LDAP server is correctly configured:

 
 

2) Go to User & Device -> User Groups to create a new user group. Give it a name with 'Firewall' as the type, and add the Remote Authentication Servers pointing to the LDAP server that was added in step 1:

 
Select Create New to add the new Remote Authentication Server. Right-click on the group to add it to selection and select OK:
 

 
3) Go to Device Manager -> Managed Devices. Right-click on the managed device and select Refresh Device:
 
 
4) Select Install Wizard to push new user groups and LDAP server to the FortiGate. Select Install Policy Package & Device Settings, then select Policy Package:
 
 
5) Select Policy Package Diff to check if the new user group and LDAP server configuration are being pushed to the device:
 
 
 
Select Install to continue:
 
 
6) Once the device is refreshed, select the device on the bottom left panel and select Display Options. Select Administrators and confirm the selection with OK:
 
 
7) Hover the cursor over System: Dashboard and select Administrators:
 
 
8) Select Create New to add a new administrator. Provide an administrator name, choose the 'Match all users on remote server group' type, select Admin profile and select the Remote User Group that was created earlier:
 
 
9) Select Install Wizard to install the latest configuration on the FortiGate:
 
 
Below is an example of the expected results:
 

 

 

Troubleshooting

 

The following diagnostic commands can be used for live debugging while reproducing the logon issue:

 

# diag debug application fnbam 255  <- Up to version 6.4.2

# diag debug application auth 255   -> From version 6.4.3