Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zerotrust
New Contributor

External Connector FSSO Agent on Windows AD

Hello everyone, 

 

I have two different FortiGates I recently installed on my work network. 

Fortigate 200E 

Fortigate 81E

They are both on FortiOS 6.4.8

 

I am having an issue with one of them (the 81E) not fully populating the users/group. Are there limitations on the selected groups the Fortigate 81E can choose simultaneously? And if there is, what is the best way to specify a group. See the screenshots attached. 

 

They are both connected to the same FSSO agent on a windows device. 

 

Thanks in advance for your help. 

 

FGT-200E FSSO.PNGFGT-81E FSSO.PNG

 

1 Solution
bpozdena_FTNT

1024 is the maximum number of FSSO user groups supported by Fortigate 81E.

 

bpozdena_FTNT_0-1654068276678.png

 

Source: https://docs.fortinet.com/max-value-table 

 

You will need to apply group filter and only synchronize the groups you actually need for your firewall policy configuration. 

View solution in original post

4 REPLIES 4
Muhammad_Haiqal

I can see the difference between interval(minutes). 1st picture is 180minutes and 2nd picture is 1 minutes.  Longer interval allow Fortigate to retrieve proper information. 1 minutes might be too fast to complete the task and you may see this kind of behavior. Try to increase the inverval between 15-30 minutes. Hope that helps.

haiqal
xsilver_FTNT

Agree, 1 minute interval is nonsense ..
1. you are going to overload LDAP with periodical queries.

 

2. once the LDAP starts to have load issues and start to react slowly, your queries stockpile and will just increase the load with non-responded queries queued.

 

3. once there will be issue connecting to that LDAP (DoS / network outage / load on server), then FortiGate will start to stockpile non-responded queries in queue which is memory, so you will possibly overload FortiGate as well.

 

4. seriously, how often do you change group membership of the users and how fast you need to sync this "promotion" through all connected systems?

You just need to find a balance between sync time and for how long you can keep possibly older group membership info, versus some reasonable auto-update interval.

Besides that, if group cache record times out, then on next login spotted by FSSO there will be fresh LDAP group membership query anyway.

 

In summary, I do not see any reason to knock on LDAP's door extremely often.
Short intervals like 30 minutes are fine. And even longer update periods like few hours might be OK as well, as said it depends mainly on frequency of your group membership changes.

 

Tom xSilver, planet Earth, over and out!

bpozdena_FTNT

1024 is the maximum number of FSSO user groups supported by Fortigate 81E.

 

bpozdena_FTNT_0-1654068276678.png

 

Source: https://docs.fortinet.com/max-value-table 

 

You will need to apply group filter and only synchronize the groups you actually need for your firewall policy configuration. 

Zerotrust
New Contributor

Thanks, everyone, for your replies. I have already adjusted the interval times to a longer query. The 1 minute was just a test. 

 

I will apply a filter and include only the groups I need.