Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
emtee
New Contributor

FSSO - AD polling vs SSO Agent

Hi,

 

Setting up my first fortigate 101e v6.0. I have everything setup and working, firewall rules, static routes, SD-WAN. But cannot get the AD polling to work.

 

Does anyone actually use AD polling or is using the fortinet SSO agent the more used standard? What is the benefit of using the sso agent? We have a relatively small environment. 2 DC's 250 users.

 

Under security fabric > fabric connecotrs > poll ad server option i have configured this to connect to my AD - no issues. I've added the users/groups. Added them to my IPv4 Policies - but the policies never match.

 

Under Firewall User Monitor - i can see users logging on.

 

The rule is incredible basic. If user a member of facebook_allow group then allow facebook.

 

 

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi, your traffic is probably hitting some non-identity based policy and so flowing unauthenticated or even not matching your policy completely. Keep in mind that since 5.1 IP based policies has precedence over those Identity based. Use basic tools like session list and flow debug to find out.

https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30038

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

emtee

Thanks I'll take a look at this. It is matching the rule below this which is to block Facebook. However this is just set for the entire subnet and is not user/group specific.
xsilver_FTNT

it should not be needed to explicitly block facebook .. keep in mind that FortiGate is 'implicit deny' typo of firewall.

And so all the policies are positive exemptions to this deny everything rule.

Having identity based policy to allow facebook to some authenticated users and letting  every one else fall to implicit deny should be enough.

 

As I wrote before, IP based policies are searched first, so if you have one policy to deny facebook, all the users will hit that first, and there will be no attempt to hit identity based policy.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors