I have 4 groups created in AD (All my AD users are member of 1 of these) and each one is member of a FSSO group on the Fortigate

Each one has a specific web filter rule (flow-based / SSL inspection) assigned to it

What options are you speaking of ?

What I don't understand is why a non-domain user using a non-domain computer is recognized as a domain user by the webfilter... note that he is never asked to enter any credentials at any time He is logged with his local username

and to be clear, it has happened to other people (no relationship between them) as well

Thank you !

This option is available via the CLI or if you are using a FortiManager, the advanced options section. From the CLI run

config firewall policy

edit <policyId>

set fsso enable

end

If this option is set to disabled (default setting) it will ignore FSSO users and groups. Your guests are not authenticated to your AD. They are simply being allowed on the rule because the groups assigned to the rule are being ignored.

Hope that helps.

d

Thanks for your input. I've double checked my settings and fsso is ENABLED (check the full config below)

I still don't get why some guests, while browsing, get the block page (as they are not part of any group) and why  they are identified on the FG as a specific user (always the same by the way) that is a member of the "No Access" AD Group used in one of the policy...

I used %%USERNAME%% on the block page to check and it returns always the same user If I remove this user from the AD group linked to the FG profile, the guest can then has full access to all websites

Again, thanks for your help.

- Fabien

Here is the full config of one of the policy

policyid : 13

uuid : 794ceca8-5d42-51e5-afda-ef6d1c329723

srcintf:

 == [ internal1 ]

 name: internal1

dstintf:

 == [ wan1 ]

 name: wan1

srcaddr:

 == [ all ]

 name: all

dstaddr:

 == [ all ]

 name: all

rtp-nat : disable 

action : accept 

status : enable 

schedule : always 

schedule-timeout : disable 

service:

 == [ ALL ]

 name: ALL

utm-status : enable 

logtraffic : utm 

logtraffic-start : disable 

capture-packet : disable 

auto-asic-offload : enable 

wanopt : disable 

webcache : disable 

session-ttl : 0

vlan-cos-fwd : 255

vlan-cos-rev : 255

wccp : disable 

ntlm : disable 

ntlm-guest : disable 

ntlm-enabled-browsers:

fsso : enable 

rsso : disable 

fsso-agent-for-ntlm : 

groups:

 == [ BASIC_FILTERING ]

 name: BASIC_FILTERING

users:

devices:

auth-path : disable 

disclaimer : disable 

natip : 0.0.0.0 0.0.0.0

match-vip : disable 

diffserv-forward : disable 

diffserv-reverse : disable 

tcp-mss-sender : 0

tcp-mss-receiver : 0

comments : 

auth-cert : 

auth-redirect-addr : 

identity-based-route: 

block-notification : disable 

custom-log-fields:

tags:

replacemsg-override-group: 

srcaddr-negate : disable 

dstaddr-negate : disable 

service-negate : disable 

timeout-send-rst : disable 

delay-tcp-npu-session: disable 

profile-type : single 

av-profile : 

webfilter-profile : Basic_Filtering 

spamfilter-profile : 

dlp-sensor : 

ips-sensor : 

application-list : 

voip-profile : 

icap-profile : 

profile-protocol-options: default 

ssl-ssh-profile : certificate-inspection 

traffic-shaper : 

traffic-shaper-reverse: 

per-ip-shaper : 

nat : enable 

permit-any-host : disable 

permit-stun-host : disable 

fixedport : disable 

ippool : disable 

central-nat : disable 

redirect-url : 

Can you check the logs and see what rule is blocking the user? What are you using to get the AD information? Do you have a FortiAuthenticator or just using the software installed on the Domain Controllers? Either way, the list of users identified should show up in the Monitor - Firewall Users. Have a guest connect and search for the IP address to see if they are in this list.

Regards

D