thought the value adgrp shows how many AD groups you can have on particular device. In my case there is AD with >5000 groups and to save smaller devices I don't want to send them all logged users, just some groups. With close to 8000 devices I have to add at least 1 filter entry, in the collector agent, for each device. My question was: is there any limit? With just 1-2 entries per device I need 8000-16000 filter entries. Can I do it on one collector or maybe because of some limits I need more collectors?
ADGrp .. "config user adgrp" entries are either Group Filter records for standalone Collector Agent pushed as per-FortiGates' serial number specific filter (when your FGT do have LDAP in 'config user fsso' for respective Collector), or pulled from Collector Agent, if that collector do have per-FGT specific filter, or Default filter set and FGT do NOT have LDAP in settings.
In either case how the records got to 'config user adgrp' those are USER GROUP records !!
Therefore, those should NOT contain specific users or devices, those should point to GROUP type of objects which sort of consolidate all possible candidates.
Because FSSO is based on group membership.
Collector can read group membership from AD.
Collector do not need to filter every single user via group filter and FGT then do not need to consolidate those single adgrp records into 'config user group' fsso type!
It is not intended to duplicate groups known/defined on AD and I would consider this as configuration error.
Goal of FSSO Group filter is to learn group membership from AD and let AD Admins to "drive" from AD level who is eligible to access what and through firewall (FortiGate), via group membership processed by Collector and users' membership shared to FGT (which then drive access privileges based on groups).
So, if you want to grant access to specific users, then group them to some specific AD group.
Then add this group to Group Filter on Collector (to push to FGT), or add this to FGT where FSSO Connector do have LDAP in config (which is there solely for this purpose, as FGT do not use it for group verification but just config).
Then use above gained adgrp record in firewall user group type fsso, and this can be then used in policies (both on FGT).
Yes, the adgrp is the value of how many AD groups can be imported to FortiGate per vdom. It does not matter whether you config group filter from Collector Agent or from FortiGate using LDAP.
Maybe I wasn't clear in my answer. I know it's based on AD group not on specific users. Assuming I have 10000 groups, which represent different locations. I plan to add 1 or 2 entries (AD groups) for each FortiGate, what means I need to add up to 16k entries (filter groups). My question: is there any limit on the collector of entries I can add?
If you do have 10k FSSO groups, then you probably have overcomplicated setup.
And I would not recommend to drive access by membership in hundreds of groups you already have and want to re-use, but make specific groups, according to access level you do want to grant to users (like P1Users with highest access, to P9Users with very limited access) and then add your existing users/groups to those access groups.
Another alternative, if you do have many locations with local AD structure + FGT, then how about to have local collector, handling only users on the spot and making them FSSO to that local FGT?
As you might not need all the users from around the globe (and nearest planets) on every single 30D access-FGT unit, right?
AFAIK there is no actual limit on how many groups can be inside the filter record known to me.
Also, having too many groups will load them to FGT and that might cause troubles.
So if you truly plan big deployment, then I would suggest to get in contact with Fortinets' Customer Care and through this channel with paid Professional Services team which can discus your specific setup and requirements and help you to size and even implement whole thing.
Thanks for your comments. I think a dedicated collector per site is not a good idea with 8k sites, I think it will be aggregated approach with one collector per X sites , in the same geographic region. I was curious what is the maximum value. FortiGate documentation is good when you need max values per each model. I couldn't find similar one just for collector agent.