Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FW policy based on AD Group

I'd like to configure a FW policy that is based on a users that belong to particular AD Group.


I Installed FSSO Agent to poll our domain DC and on Fortigate FW (ver 6.4.7) I configured the Endpoint/Identity to connect to FSSO Agent.


I also configured LDAP server to be able to gather the Groups Names from our LDAP Server.

In "User & Authentication" Menu I created a goup which is based on "Fortinet Single Sign-On (FSSO)" and I selected one of the AD group fetched from FSSO.


At the END I simply added the Group to a rule in the source



It looks like that the policy doesn't recognize my user to be part of the Group selected.


Is there something else I have to enable to be able to use AD Group on policy ?

Where the user to Group membership is done at FW level (Is a Table somewhere) ?


How can I debug why the user is not part of the group defined in the FW ?



New Contributor III

I dont understand what's the problem, 

Is this policy ignored or not working?


BTW you can troubleshoot with this CLI Command:

"diagnose test authserver ldap <LDAP server_name> <username> <password>"

With this you can authenticate the user and check what it returns

You can troubleshoot the results with these commands too:

FGT# diagnose debug enable FGT# diagnose debug application fnbamd 255
FGT# diagnose debug application fnbamd 0
FGT# diag test authserver ldap AD_LDAP user1 password