- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO Groups not available in Users & Group
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO Groups not available in Users & Group
Hi All,
On our FG300C with FortiOS 5.0.6, we are not able to see the Groups defined in the FSSO Agents installed on our DCs.
Fortigate is connected to the agents and in Log & Report -> Event Log -> User, we are able to see the users that are connected, however, group is still empty.
With the cli,
FW-FR1-01 # diagnose debug authd fsso list
----FSSO logons----
IP: X.X.X.X User: U1 Groups: DMN/CFS_DEFAULT Workstation: WKS1.DMN
IP: X.X.X.X User: U2 Groups: DMN/CFS_DEFAULT Workstation: WKS2.DMN
IP: X.X.X.X User: U3 Groups: DMN/CFS_DEFAULT Workstation: WKS3.DMN
IP: X.X.X.X User: U4 Groups: DMN/CFS_DEFAULT Workstation: WKS4.DMN
IP: X.X.X.X User: U5 Groups: DMN/CFS_DEFAULT Workstation: WKS5.DMN
IP: X.X.X.X User: U6 Groups: DMN/CFS_DEFAULT Workstation: WKS6.DMN
IP: X.X.X.X User: U7 Groups: DMN/CFS_DSI Workstation: WKS7.DMN
IP: X.X.X.X User: U8 Groups: DMN/CFS_DEFAULT Workstation: WKS8.DMN
Total number of logons listed: 8, filtered: 0
----end of FSSO logons----
DMN/CFS_DEFAULT & DMN/CFS_DSI are part of the group allowed in the FSSO Agent and the objective is to define a browing policy based on Content Filtering Group.
As these groups are not present in Users & Devices -> User -> User Groups when we define an FSSO Group, users are not able to browse anymore.
Any idea to solve this issue?
Regards
CIO/CSO
CIO/CSO
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would first ask if this worked before and stopped working after an upgrade ?
We have a 1000C with FSSO Collector on a separate VM, so I will give you my opinion, but if your setup is different it might not apply.
The command on our Fgt shows more information, as :
IP: X.X.X.X User: U2 Groups: <DOMAIN_GROUP> Workstation: X.X.X.X MemberOf: <FortigateGroupName>.
If you go to Users & Devices -> Single Sign-On, and you Edit your Single-signon server, you should see the domain groups, that is the groups that exit on your DCs, under Users/Groups ?
Under Users & Devices -> User -> User Groups, I believe you should see the groups you created on the Fortigate, into which you would put your domain groups, if you can see them, eventually.
Hope it helps you to go further !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
No, we start the setup after the upgrade in 5.0.6.
The FSSO Collector is setup on our DC, and we use Fortimanager to manage our 60 FGT (60C, 100D & 300C).
From the GUI of the 300C, everything is OK and after an import in our Fortimanager, we are able to see everything from our DC.
So the issue seems to come from the Fortimanager who is not able to get the information from the Agent...
Thanks & Regards
Franck
CIO/CSO
CIO/CSO
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not familiar with Fortimanager, so maybe you' d be better off opening a ticket with Fortinet for that part, but I believe the group contents are sent from the Agent to the Fortigate directly, so the Fortimanager would normally not get any information from the Agent.
And you should be able to configure everything without the Fortimanager, at least on one machine, even if just to prove it does work.
Still you mention that " From the GUI of the 300C, everything is OK " , however you also mention that " On our FG300C with FortiOS 5.0.6, we are not able to see the Groups defined " ...
I probably do not understand correctly what the problem is.
In Log & Report -> Event Log -> User, you see the users that are part of groups that you configured the FSSO Agent to send to the Fortigate, so we can assume that the Agent sees the AD Groups and their users, and sends this information correctly.
The way I see this, from the output of " diagnose debug authd fsso list " , it seems to be missing the last part that we get on our machine, " MemberOf: <FortigateGroupName>" , as if the groups on the Fortigate do not contain the groups from your DC/FSSO Agent
When you create a group on the Fortigate, you do specify the type FSSO ?
Do you have a LDAP server specified under Users & Devices -> Authentication -> LDAP Servers, with a bind type Regular, port 389, and Common Name Identifier of sAMAccountName, etc ?
Let me know if this is too garbled or anything else I can do :)
Richard
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FORTIMANAGER VM TRIAL 121 Views
- Using FMG to configure SAML on... 157 Views
- customer wants to connect to wifi... 172 Views
- BUG ZTNA GeoLocation and ZTNA Tag... 133 Views
- Fortigate web console - applied address... 185 Views
Labels
-
fortigate
7,014 -
FortiClient
1,380 -
5.2
801 -
5.4
639 -
FortiManager
608 -
FortiAnalyzer
444 -
6.0
416 -
FortiAP
369 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
285 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
171 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
103 -
FortiGateCloud
93 -
SSL-VPN
93 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
Fortivoice
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
FortiAuthenticator
31 -
Firewall policy
31 -
VLAN
28 -
High Availability
28 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
SAML
18 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
Fortigate Cloud
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
Web profile
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
Proxy policy
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
System settings
2 -
Users
2 -
FortiAI
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1039 | |
| 861 | |
| 507 | |
| 440 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.