Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lrazmadze
New Contributor

Firewall policy per AD user

Hello, I want to create specific access rule per one user from AD

 

While selecting source, and user, I get error 

 

One address, address group, external resource or Internet service is required
 
as read a solution, I have to select "all" address object, but I have question, if I select all, will it affect on all users, or it will work on a single user written under "all" ?
 
 
lrazmadze_0-1719908807808.png

 

 
5 REPLIES 5
jintrah_FTNT
Staff
Staff

Hi,

 

It works for the single user (accessing from any source IP included by adding address object "all").

 

best regards,

Jin

lrazmadze
New Contributor

when I try to configure policies, I select "all" address object, specific user added from Remote LDAP users, but all traffic goes to the below policy and not matching on that policy, where I have user in source.

 

what can I do further? 

 

test.png

ebilcari

Policies with Accept action will take precedence over policies that have users specified. More details are shown in this article here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
sw2090
SuperUser
SuperUser

to use AD Users or AD UserGroups in Policies you must have a working AD Fabric connector and an FSSO CollectorAgent on every Domaincontroller.

This is needed to read the Structure of the AD to provide users and groups (Fabric connector) and to poll AD Logon events (CollectorAgent) because that is the only way to determine the currently logged in user on a machine in AD.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hbac
Staff
Staff

Hi @lrazmadze,

 

To use AD group in firewall policies, you need to configure FSSO. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FSSO-in-DC-Agent-mode/ta-p/25299...

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors