I am looking to add AD users and groups to firewall policies.
Do i need to use FSSO collector agent or can i just set a remote group in "user groups" via LDAP.
Many thanks
Hi
You can configure remote user group via the LDAP please refer the below document for configuration .
Thanks for the reply, this shows me how to add user groups into policies but my firewall is only seeing me as an ip address so i need to enable user identification and this is what i need advice on. thanks again..
Perhaps i need to enable the "poll active directory server"
Hi @Mes-Lili2,
As said in the document "Users that have been imported from the LDAP server, can be used to enforce user based policies as permission sets and allow VPN connections", this is use case for VPN policy. In order to have policy based on user, you may want to take a look at FSSO or active directory polling. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/888827/poll-active-directory...
Regards,
Minh
If you want to do what is called passive authentication, apply policies based on AD user groups without asking the user to authenticate you have to use FSSO. This is explained in the documentation guide. You can configure FGT to poll directly the AD for events or install a collector agent on the AD (better scalability):
Basically FSSO will tie the user with its IP based on their domain logins events, than the user is tied to a FSSO group that is applied to a policy.
LDAP groups are used for active authentication, users will be prompted to enter their credentials again.
Yes I am now polling the AD server directly but my authentication seems to be failing. I am using UPN as suggested in documentation and testing directly on an AD sever i can authenticate but via tha active directory connector within external connectors it fails. thanks all for your help here..
Created on 09-22-2023 08:41 AM Edited on 09-22-2023 08:44 AM
Is the LDAP server configured correctly? Can you share the output of this command:
diagnose debug fsso-polling detail 1
The local firewall on the server should allow the connection and the user credentials should have privileges to read the events.
I would still suggest to download and use FSSO collector, is free to use and you can get it from the support page
Hi @Mes-Lili2,
For agentless troubleshooting, please refer to this document for more detail "https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...
Regards,
Minh
Thanks all...
Thus far...
The LDAP seems ok as we are using it for admin access..
Unfortunately DC management is by a different company so will be asking them to check the given credentials on Monday. This also makes the download FSSO not an easy option.
Many thanks to you all. I will of course update soon.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.