Firewall policy per AD user

lrazmadze · ‎07-02-2024

Hello, I want to create specific access rule per one user from AD

While selecting source, and user, I get error

One address, address group, external resource or Internet service is required

as read a solution, I have to select "all" address object, but I have question, if I select all, will it affect on all users, or it will work on a single user written under "all" ?

jintrah_FTNT · ‎07-02-2024

Hi,

It works for the single user (accessing from any source IP included by adding address object "all").

best regards,

Jin

lrazmadze · ‎07-02-2024

when I try to configure policies, I select "all" address object, specific user added from Remote LDAP users, but all traffic goes to the below policy and not matching on that policy, where I have user in source.

what can I do further?

ebilcari · ‎07-02-2024

Policies with Accept action will take precedence over policies that have users specified. More details are shown in this article here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

sw2090 · ‎07-02-2024

to use AD Users or AD UserGroups in Policies you must have a working AD Fabric connector and an FSSO CollectorAgent on every Domaincontroller.

This is needed to read the Structure of the AD to provide users and groups (Fabric connector) and to poll AD Logon events (CollectorAgent) because that is the only way to determine the currently logged in user on a machine in AD.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

hbac · ‎07-02-2024

Hi @lrazmadze,

To use AD group in firewall policies, you need to configure FSSO. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FSSO-in-DC-Agent-mode/ta-p/25299...

Regards,

Firewall policy per AD user

Nominate a Forum Post for Knowledge Article Creation