FW policy based on AD Group

helenio_sartori · ‎10-12-2021

I'd like to configure a FW policy that is based on a users that belong to particular AD Group.

I Installed FSSO Agent to poll our domain DC and on Fortigate FW (ver 6.4.7) I configured the Endpoint/Identity to connect to FSSO Agent.

I also configured LDAP server to be able to gather the Groups Names from our LDAP Server.

In "User & Authentication" Menu I created a goup which is based on "Fortinet Single Sign-On (FSSO)" and I selected one of the AD group fetched from FSSO.

At the END I simply added the Group to a rule in the source

It looks like that the policy doesn't recognize my user to be part of the Group selected.

Is there something else I have to enable to be able to use AD Group on policy ?

Where the user to Group membership is done at FW level (Is a Table somewhere) ?

How can I debug why the user is not part of the group defined in the FW ?

supportombm · ‎10-14-2021

I dont understand what's the problem,

Is this policy ignored or not working?

BTW you can troubleshoot with this CLI Command:

"diagnose test authserver ldap <LDAP server_name> <username> <password>"

With this you can authenticate the user and check what it returns

You can troubleshoot the results with these commands too:

FGT# diagnose debug enable FGT# diagnose debug application fnbamd 255
FGT# diagnose debug application fnbamd 0

FGT# diag test authserver ldap AD_LDAP user1 password

https://kb.fortinet.com/k....do?externalID=FD46419