I have two different FortiGates I recently installed on my work network.
They are both on FortiOS 6.4.8
I am having an issue with one of them (the 81E) not fully populating the users/group. Are there limitations on the selected groups the Fortigate 81E can choose simultaneously? And if there is, what is the best way to specify a group. See the screenshots attached.
They are both connected to the same FSSO agent on a windows device.
I can see the difference between interval(minutes). 1st picture is 180minutes and 2nd picture is 1 minutes. Longer interval allow Fortigate to retrieve proper information. 1 minutes might be too fast to complete the task and you may see this kind of behavior. Try to increase the inverval between 15-30 minutes. Hope that helps.
Agree, 1 minute interval is nonsense .. 1. you are going to overload LDAP with periodical queries.
2. once the LDAP starts to have load issues and start to react slowly, your queries stockpile and will just increase the load with non-responded queries queued.
3. once there will be issue connecting to that LDAP (DoS / network outage / load on server), then FortiGate will start to stockpile non-responded queries in queue which is memory, so you will possibly overload FortiGate as well.
4. seriously, how often do you change group membership of the users and how fast you need to sync this "promotion" through all connected systems?
You just need to find a balance between sync time and for how long you can keep possibly older group membership info, versus some reasonable auto-update interval.
Besides that, if group cache record times out, then on next login spotted by FSSO there will be fresh LDAP group membership query anyway.
In summary, I do not see any reason to knock on LDAP's door extremely often. Short intervals like 30 minutes are fine. And even longer update periods like few hours might be OK as well, as said it depends mainly on frequency of your group membership changes.
TAC found your post for me on a similar case. I'm very interested to know how you are able to determine that "user.adgrp" is the object in the maximum values table that's most relevant to this? I was hoping the max val table would have links to descriptions for each object but havent come across documentation on these objects yet in our search.
I'm having a little difficulty with this... We've gone to the trouble of creating "firewall-<servicename>" groups in LDAP but I want to be able to automatically import any new groups that fit that first "firewall-" naming structure. Is that possible?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.