Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortinet FSSO and Cisco ISE pxgrid


we are running Cisco SDA/DNA on our infrastruktur and a Fortigate a our firewall.


Got the Cisco ISE and fortimanager pxgrid working with no problem, but before i got the pxgrid connector iv had Fortinet FSSO dc agent on your DC's and a FSSO server sending the logon event to the fortigate so i could create user-based policies.

But now i have problem as i can see the the FSSO entry on the fortigate use the ip adresse as the uniq id and ex. my ip gets the pxgrid "tag group" and then the FSSO server overrides the "tag group" with another so the policies i created with the pxgrid groups dosen't gets hit.

Can i only have 1 FSSO entry? so only pxgrid or FSSO agent (was thinking about buying Fortiauthenticator for forticlient agent) but if i only can have 1 FSSO entry theres no need.

That's an issue for me cause i would like to use pxgrid to allow/deny traffic to specific Cisco SGT groups and also would like to use ad groups for policies.

hope you can help me clarify this issue




Hi @mmjo


Have you configured pxgrid connector on FortiManager? Please refer to


FSSO agent gets group information from the DC and sends it to FortiGate. If you are using  pxgrid connector and not using FSSO agent anymore, you can remove it. 



New Contributor

Yeah i know, but my question was if i could use both? right now i only get the pxgrid group in the logs, and not the user, så all my logs for a pxgrid network is from the same FSSO user.

And now im not able to make userbased policies with ad groups.

Top Kudoed Authors