Agree, 1 minute interval is nonsense ..
1. you are going to overload LDAP with periodical queries.

2. once the LDAP starts to have load issues and start to react slowly, your queries stockpile and will just increase the load with non-responded queries queued.

3. once there will be issue connecting to that LDAP (DoS / network outage / load on server), then FortiGate will start to stockpile non-responded queries in queue which is memory, so you will possibly overload FortiGate as well.

4. seriously, how often do you change group membership of the users and how fast you need to sync this "promotion" through all connected systems?

You just need to find a balance between sync time and for how long you can keep possibly older group membership info, versus some reasonable auto-update interval.

Besides that, if group cache record times out, then on next login spotted by FSSO there will be fresh LDAP group membership query anyway.

In summary, I do not see any reason to knock on LDAP's door extremely often.
Short intervals like 30 minutes are fine. And even longer update periods like few hours might be OK as well, as said it depends mainly on frequency of your group membership changes.

Hello Bpozdena,

TAC found your post for me on a similar case.  I'm very interested to know how you are able to determine that "user.adgrp" is the object in the maximum values table that's most relevant to this?  I was hoping the max val table would have links to descriptions for each object but havent come across documentation on these objects yet in our search.

Hello 80211WiGuy,

The object names in the maximum value table follow the same naming as in FortiOS CLI, just separated with a dot instead of space. 

Whenever an FSSO user group is synchronized into Fortigate, the group is saved in the config file under config user adgrp . You can list all FSSO groups with command show user adgrp .

If you wish to find out the complete maximum values for your FortiGate unit, use the following CLI command: print tablesize

Thanks Boris!  This is incredibly helpful!!!

Any tips for limiting/filtering which ad-groups get pushed from the FAC down to the FGT?  We have tons of groups in AD and only want to sync the ones that are actually applicable to firewall policies.

The concept of filtering the FSSO groups on FAC is the same as on Windows Collector Agent.

FAC, however has two different filtering options 'Global Pre-Filter' and custom 'FortiGate Filter'.

To create FSSO Filter for your Fortigate:

FAC GUI > Fortinet SSO Methods > SSO > Fortigate Filtering > Create New FortiGate Filter > Enable 'Fortinet Single Sign-On' option > Import from LDAP server .

Once your filters are created on FAC, you may need to refresh the groups on Fortigate manually:

Let me know if this is unclear and I will try to provide more details ;-).

Thanks!  I'll give this a try and report back :)

Hi Boris,

I'm having a little difficulty with this...  We've gone to the trouble of creating "firewall-<servicename>" groups in LDAP but I want to be able to automatically import any new groups that fit that first "firewall-" naming structure.   Is that possible?