Hi,
Does anyone know how often Collector Agent synchronises LDAP user/group membership? I can't seem to find any setting/timer for this. Basically wondering how long it will take for it to be reflected on the FortiGate, when a new user is assigned to a given group in AD. Assuming, the group itself is already in the group filter, sent to the the FGT and configured there. Is there a timer for it that can be changed? or is the only option for the user to log out and log in again?
Thanks,
Rafal
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If your scenario is like this .. 1. user logs in workstation (WKS)
2. user is not seen in FSSO
3. user was not member but now he was added as member of AD group which is in Group Filter
4. user is still not in FSSO user list
Then it is expected as at user's logon he was not part of any monitored AD group. Simply by adding user to the group you will not get user re-evaluated. Because his logon event was already processed. And so user will not be seen in FSSO by design until he makes any authenticated action like logoff-login or accessing network folder somewhere on domain which also is authenticated action.
In case the user group membership changes, like he was part of monitored group A and was moved to group B but he haven't made any authenticated action and his membership from FSSO and so FGT standpoint is still group A. If he will make authenticated action, then his membership will be re-evaluated if there is no group cache set. If he will not make any authenticated action, then his group membership will not be re-evaluated unless you set "grouplookupinterval" config key in registry where Collector Agent runs.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Actually, once you mentioned group lookup, I found it it in the advanced settings and it worked exactly as expcted. when set for example to 5 minutes, it will update group membership every 5 minutes, even without user logging out and back in.
Thanks for your help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.