Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
torenhof
New Contributor III

FSSO Group Filters & Ignore Users

Hello All,

 

We have configured FSSO on a FG300 running version 5.0 (GA 13)

In this config we are using group filters, but when I check the CA that is running on an A.D. server, we noticed that a service account was logged on multiple times (about 20 times). This service account isn't included in the A.D. servers' groups where we configured the groups that must be used in the identity based firewall policy.These groups have been configured/selected in the FG.

After I had excluded that service account, FSSO seems to be working.

Another important thing: we have upgraded the agents on the DC's but only restarted the services, we didn't do a complete reboot of each A.D. controller.

Could this be the culprit?

 

Best regards,Torenhof

 

1 Solution
Syed_Mehmood_Ali
New Contributor III

Its better to reboot the server whenever install DC agent or upgrade the agent. In my case I tested the DC agent without rebooting the server but results were not accurate.

View solution in original post

3 REPLIES 3
Syed_Mehmood_Ali
New Contributor III

Its better to reboot the server whenever install DC agent or upgrade the agent. In my case I tested the DC agent without rebooting the server but results were not accurate.

torenhof

OK, we have rebooted the servers. But we still needed to add service accounts to the ignore users list.

The point of using group filters seems to be somewhat gone

 

Thanks anyway for the reply.

Regards

xsilver_FTNT
Staff
Staff

hello,

 

make sure and double check that there is no slightest possibility of test account being included in allowed (filtered) user groups, keep in mind that if Collector runs in Advanced mode then group nesting is possible and so if group (LOW) is nested inside another group (TOP) then through this mechanism user can be seen as member or group (TOP) regardless he is not direct member of it. He will be there through TOP-LOW-user nested groups chain.

 

If it still seems correct, open a ticket on support for that and we can test and raise a bug if issue confirmed.

 

Best regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors