Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kernal
New Contributor

FortiClient EMS - Group Assignment Rules not working

Hi Forum!

 

I have two issues with the Group Assignment Rules in FortiClient EMS.

 

The manual says

If a newly connected endpoint does not match any group assignment rule and belongs to an imported AD domain, the endpoint is moved into the OU to which it belongs in the AD domain tree. If no AD domain has been imported, or the endpoint also does not belong to the imported AD domain, it is placed in the Other Endpoints group.

My endpoints all belong to an AD domain for now. The domain-membership should only be relevant, if a newly connected endpoint does not match any group assignment rule. Only when there is no rule match, the endpoint should be moved into the OU to which it belongs in the AD domain tree.

 

The problems starts, when creating an assignment rule. I can only choose groups from within Endpoints > Workgroups and not from Endpoints > Domains... If I use a Workgroups-group, domain joined endpoints are not placed into that group but in its OU.

 

My second issue is, that I cannot use the AD group Assignment rule, introduced with FortiClient 6.2.0. I'm simply not offered the AD Group-Type in the dropdown list.

 

best regards

Kai

[ul]
  • FortiGate Active/Passive Cluster w/ FortiOS v6.2.1 build0932 (GA)
  • FortiAnalyzer (FAZVM64) v6.4.1-build2072 200615 (GA)
  • FortiClient EMS 6.4.1 build 1498
  • FortiClient 6.4.1[/ul]
[ul] - FortiGate Active/Passive Cluster w/ FortiOS v6.2.1 build0932 (GA) - FortiAnalyzer (FAZVM64) v6.4.1-build2072 200615 (GA) - FortiClient EMS 6.4.1 build 1498 - FortiClient 6.4.1[/ul]
3 REPLIES 3
Jay8
New Contributor

Hi @kernal ,

 

Did you find a resolution for your issues? Facing the same issue here

 

Regards,

Jay

daljte
New Contributor

Hi Jay8,

we never got this to work. We have learned to live without group assignment rules.

best regards
Kai

P.S.: I cannot login to the forum as kernal anymore and I don't know why. I assume it's because login is handled by "FortiCloud" now. Don't have time to investigate this issue... ;)

ebujedo
Staff
Staff

Hi all,
There is a reported issue about this if you are using Split Tunnel:
https://docs.fortinet.com/document/forticlient/7.0.3/ems-release-notes/310815/known-issues

760816 Group assignment rules based on IP addresses do not work when using split tunnel.


Cheers.
Ezequiel.

Staff
Labels
Top Kudoed Authors