- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO groups
Hello Dears
I am trying to block some users to access internet using FSSO policy but it seems not working could anyone advise about that ?
Bests
Solved! Go to Solution.
- Labels:
-
FortiGate
Created on 10-23-2022 11:23 PM Edited on 10-23-2022 11:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, please confirm that you choose "show all fsso logon" on that GUI
if your user not displayed mean you have sth wrong in active directory polling settings
I suggest you to read again the guide
if your config is OK, when you logon windows domain computer, user information must be collected by fortigate automatically and displayed on monitor section
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see in your captured image policy 159 action accept so why ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i try block/deny but the seem issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any deny policy as well for those users ? Firewall policies are working from top to bottom. Might be that allow policy is above then the deny policy.
Moreover, check the logs of Fortigate for more details.
regards,
Sheikh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no this is the only policy and it's the first policy in the area
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you should check that the user you want to block was authenticated as FSSO-Users group
FSSO user must automatic authentication on firewall when the user logging on client PC on domain network without entering user name, password again to fortigate authentication portal.
I think that it;s authenticated with firewall user method, not fsso this case, please re check
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello dear and thnx for reply
as I under stand you meant i need to enable web auth on firewall then go ahead with that ?
Regards
Created on 10-23-2022 11:06 PM Edited on 10-23-2022 11:07 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no man, you said that you implement fsso , then you have to check that the user you testing that policy is authenticated at right group, you can see at "firewall user monitor" in GUI that if that user is displayed and belong to Fsso-users group.
Anyway you implement fsso using active directory polling or fsso-agent installed on server computers to sync the authentication to firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Dear
i impmlented it using polling one and in user monitor i did not see any user login on it
Created on 10-23-2022 11:23 PM Edited on 10-23-2022 11:31 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, please confirm that you choose "show all fsso logon" on that GUI
if your user not displayed mean you have sth wrong in active directory polling settings
I suggest you to read again the guide
if your config is OK, when you logon windows domain computer, user information must be collected by fortigate automatically and displayed on monitor section