Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zerotrust
New Contributor

External Connector FSSO Agent on Windows AD

Hello everyone, 

 

I have two different FortiGates I recently installed on my work network. 

Fortigate 200E 

Fortigate 81E

They are both on FortiOS 6.4.8

 

I am having an issue with one of them (the 81E) not fully populating the users/group. Are there limitations on the selected groups the Fortigate 81E can choose simultaneously? And if there is, what is the best way to specify a group. See the screenshots attached. 

 

They are both connected to the same FSSO agent on a windows device. 

 

Thanks in advance for your help. 

 

FGT-200E FSSO.PNGFGT-81E FSSO.PNG

 

1 Solution
bpozdena_FTNT

1024 is the maximum number of FSSO user groups supported by Fortigate 81E.

 

bpozdena_FTNT_0-1654068276678.png

 

Source: https://docs.fortinet.com/max-value-table 

 

You will need to apply group filter and only synchronize the groups you actually need for your firewall policy configuration. 

HTH,
Boris

View solution in original post

10 REPLIES 10
Muhammad_Haiqal

I can see the difference between interval(minutes). 1st picture is 180minutes and 2nd picture is 1 minutes.  Longer interval allow Fortigate to retrieve proper information. 1 minutes might be too fast to complete the task and you may see this kind of behavior. Try to increase the inverval between 15-30 minutes. Hope that helps.

haiqal
xsilver_FTNT

Agree, 1 minute interval is nonsense ..
1. you are going to overload LDAP with periodical queries.

 

2. once the LDAP starts to have load issues and start to react slowly, your queries stockpile and will just increase the load with non-responded queries queued.

 

3. once there will be issue connecting to that LDAP (DoS / network outage / load on server), then FortiGate will start to stockpile non-responded queries in queue which is memory, so you will possibly overload FortiGate as well.

 

4. seriously, how often do you change group membership of the users and how fast you need to sync this "promotion" through all connected systems?

You just need to find a balance between sync time and for how long you can keep possibly older group membership info, versus some reasonable auto-update interval.

Besides that, if group cache record times out, then on next login spotted by FSSO there will be fresh LDAP group membership query anyway.

 

In summary, I do not see any reason to knock on LDAP's door extremely often.
Short intervals like 30 minutes are fine. And even longer update periods like few hours might be OK as well, as said it depends mainly on frequency of your group membership changes.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

bpozdena_FTNT

1024 is the maximum number of FSSO user groups supported by Fortigate 81E.

 

bpozdena_FTNT_0-1654068276678.png

 

Source: https://docs.fortinet.com/max-value-table 

 

You will need to apply group filter and only synchronize the groups you actually need for your firewall policy configuration. 

HTH,
Boris
80211WiGuy

Hello Bpozdena,

TAC found your post for me on a similar case.  I'm very interested to know how you are able to determine that "user.adgrp" is the object in the maximum values table that's most relevant to this?  I was hoping the max val table would have links to descriptions for each object but havent come across documentation on these objects yet in our search.

bpozdena_FTNT

Hello 80211WiGuy,

 

The object names in the maximum value table follow the same naming as in FortiOS CLI, just separated with a dot instead of space. 

 

Whenever an FSSO user group is synchronized into Fortigate, the group is saved in the config file under config user adgrp . You can list all FSSO groups with command show user adgrp .

 

FortiOS CLI command Object Name in Maximum Value Table
config firewall policy firewall.policy
config user adgrp user.adgrp

 

If you wish to find out the complete maximum values for your FortiGate unit, use the following CLI command: print tablesize

HTH,
Boris
80211WiGuy

Thanks Boris!  This is incredibly helpful!!!

Any tips for limiting/filtering which ad-groups get pushed from the FAC down to the FGT?  We have tons of groups in AD and only want to sync the ones that are actually applicable to firewall policies.

bpozdena_FTNT

The concept of filtering the FSSO groups on FAC is the same as on Windows Collector Agent.

 

FAC, however has two different filtering options 'Global Pre-Filter' and custom 'FortiGate Filter'.

 

To create FSSO Filter for your Fortigate:

FAC GUI > Fortinet SSO Methods > SSO > Fortigate Filtering > Create New FortiGate Filter > Enable 'Fortinet Single Sign-On' option > Import from LDAP server .

 

bpozdena_FTNT_0-1669631781630.png

 

Once your filters are created on FAC, you may need to refresh the groups on Fortigate manually:

bpozdena_FTNT_1-1669631929687.png

 

Let me know if this is unclear and I will try to provide more details ;-).

HTH,
Boris
80211WiGuy

Thanks!  I'll give this a try and report back :)

80211WiGuy

Hi Boris,

I'm having a little difficulty with this...  We've gone to the trouble of creating "firewall-<servicename>" groups in LDAP but I want to be able to automatically import any new groups that fit that first "firewall-" naming structure.   Is that possible?

Labels
Top Kudoed Authors