Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mes-Lili2
New Contributor III

AD Integration

I am looking to add AD users and groups to firewall policies.

Do i need to use FSSO collector agent or can i just set a remote group in "user groups" via LDAP.

Many thanks

21 REPLIES 21
ebilcari

Most probably the port 445 is not opened. I found a good article created from one of my collogues that has some nice troubleshoot steps: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-cannot-connect-to-Active-D...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Kush_Patel
Staff
Staff
Mes-Lili2
New Contributor III

It seems the Fortigate is trying to connect on SMBV1, this is not enabled on our DC's so need to force V2. I can only see docs on ssl vpn SMB so as i trawl away perhaps someone could point me in the right direction...

 

ebilcari

By default it should be disabled, you can verify it here :

GW (fsso-polling) # show full
config user fsso-polling

set smbv1 disable
set smb-ntlmv1-auth disable 

This debug may help:

diag debug application fssod -1
diag debug enable

 

P.S Collector agent is still the recommended way of doing this :)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Mes-Lili2
New Contributor III

output as below..

end
set smbv1 disable
set smb-ntlmv1-auth disable
next
end

 

but DC is still rejecting SMBV1 attempt.

Yes I am looking into FSSO Agent but polling should work...

TuncayBAS
Contributor II

It is best to use FSSO. Just using ldap as a local collector in Fortigate cannot fully manage AD traffic.

But if it uses FSSO, you can easily capture users' group changes and when there is more than one DC, it will be easier for you to manage them via FSSO.

Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Mes-Lili2
New Contributor III

OK once again many thanks all for the info..

so... I have gone FSSO with collector and the collector to AD is working fine as can see all logged in users in collector logs.

 

I have set FSSO client to use collector and added lDAP server for groups.

 

when I go into a policy I can add the group seen by the FSSO but although I am a member of that group my policy fails.  in log forwarding when group is not applied I can see my traffic allowed and my username in the source field...    however ... I have noticed that it does not include the domainname\username  like it does on the collector so perhaps this is my problem.

 

If the domain name does not show in user source, how am i supposed to differentiate between different domains,,

 

Many thanks in advance.... and yes I have downloaded many docs but to no avail.

Mes-Lili2
New Contributor III

OK got AD groups working by just letting FSSO agent populate/collect group info...  I am now looking to see the command to show group membership

For palo alto .. show user group name <usergroupname>

 

I am also looking to see how to add individual AD users into policies...

any help much appreciated.

TuncayBAS

diagnose debug authd fsso list

You can see the users coming from FSSO with the command.


To use user groups in rules, "User & Authentication -> User Group -> Create New"


You select FSSO as your type and become a member of the relevant FSSO group.

 

Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
Mes-Lili2
New Contributor III

so can you only have AD groups in policies but not individual AD usernames...

I can add local users but can't see how to add single domain users

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors