Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MustphaBassim
New Contributor III

Created on ‎10-22-2022 01:13 AM

FSSO groups

Hello Dears

 

I am trying to block some users to access internet using FSSO policy but it seems not working could anyone advise about that ?

 

BestsUntitled.png

Labels:
2312
0 Kudos
1 Solution
AntonyChen
New Contributor III
In response to MustphaBassim

Created on ‎10-23-2022 11:23 PM Edited on ‎10-23-2022 11:31 PM

ok, please confirm that you choose "show all fsso logon" on that GUI

if your user not displayed mean you have sth wrong in active directory polling settings

I suggest you to read again the guide

https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/503764/fsso-polling-connecto...

 

if your config is OK, when you logon windows domain computer, user information must be collected by fortigate automatically and displayed on monitor section

View solution in original post

2257
0 Kudos
14 REPLIES 14
MustphaBassim
New Contributor III
In response to AntonyChen

Created on ‎10-24-2022 12:39 AM

Hello dear

 

it's working really what i did is removed the configration and re did again and it's working really the articul that you shared is the same that i follow it it's very recommended to work with it .

 

Bests

 

698
AntonyChen
New Contributor III
In response to MustphaBassim

Created on ‎10-24-2022 12:59 AM

ok bro, nice to hear this

695
0 Kudos
Markus_M
Staff
Staff

Created on ‎10-24-2022 12:08 AM Edited on ‎10-24-2022 12:10 AM

Hello,

 

fitting debug here:

diag debug console timestamp enable

diag debug app fssod -1

diag debug app auth -1

diag debug app smbcd -1

diag debug enable

 

should show you which users are actually picked up.

I do recommend using the Agent based polling instead, leaves the FortiGate free for its firewalling job and is more flexible in terms of understanding logon events.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-local-poller-fssod-limitations-compar...

 

Best regards,

 

Markus

702
Markus_M
Staff
Staff
In response to Markus_M

Created on ‎10-24-2022 12:10 AM

and another note: the firewall user monitor is important. If the user is not there or not correct, the policy objects WILL not work. First make sure the users are listed. If they are, then your firewall can use these groups in its policies.

702
AntonyChen
New Contributor III
In response to Markus_M

Created on ‎10-24-2022 12:14 AM

That's right, ad polling mode take high resource on the firewall if your site has lot of concurrent users. Use fsso-agent mode is recommended.

700
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.