Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MustphaBassim
New Contributor III

FSSO groups

Hello Dears

 

I am trying to block some users to access internet using FSSO policy but it seems not working could anyone advise about that ?

 

BestsUntitled.png

1 Solution
AntonyChen

ok, please confirm that you choose "show all fsso logon" on that GUI

if your user not displayed mean you have sth wrong in active directory polling settings

I suggest you to read again the guide

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/503764/fsso-polling-connecto...

 

if your config is OK, when you logon windows domain computer, user information must be collected by fortigate automatically and displayed on monitor section

View solution in original post

14 REPLIES 14
AntonyChen
New Contributor III

I see in your captured image policy 159 action accept so why ?

MustphaBassim

i try block/deny but the seem issue

Sheikh
Staff
Staff

Hi MustphaBassim,

 

Do you have any deny policy as well for those users ? Firewall policies are working from top to bottom. Might be that allow policy is above then the deny policy.

 

Moreover, check the logs of Fortigate for more details.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
MustphaBassim
New Contributor III

no this is the only policy and it's the first policy in the area

MustphaBassim_0-1666433408762.png

 

AntonyChen
New Contributor III

you should check that the user you want to block was authenticated as FSSO-Users group

FSSO user must automatic authentication on firewall when the user logging on client PC on domain network without entering user name, password again to fortigate authentication portal.

I think that it;s authenticated with firewall user method, not fsso this case, please re check

MustphaBassim

hello dear and thnx for reply

 

as I under stand you meant i need to enable web auth on firewall then go ahead with that ?

 

Regards

AntonyChen

no man, you said that you implement fsso , then you have to check that the user you testing that policy is authenticated at right group, you can see at "firewall user monitor" in GUI that if that user is displayed and belong to Fsso-users group.
Anyway you implement fsso using active directory polling or fsso-agent installed on server computers to sync the authentication to firewall?

MustphaBassim

Hello Dear

 

i impmlented it using polling one and in user monitor i did not see any user login on it

AntonyChen

ok, please confirm that you choose "show all fsso logon" on that GUI

if your user not displayed mean you have sth wrong in active directory polling settings

I suggest you to read again the guide

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/503764/fsso-polling-connecto...

 

if your config is OK, when you logon windows domain computer, user information must be collected by fortigate automatically and displayed on monitor section

Top Kudoed Authors