Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adsl_jalawiah
New Contributor

Integrating AD Users to FortiGate

Dear All We purchased a FortiGate-100D UTM Device. I am looking to configure the device. I will be using this device maily for web filtering along with the other UTM functions liks AV, IPS, Firewall etc. Our Scenario We are running a windows network, with a Domain Controller(DC) & Additional Domain Controller(ADC). We have around 60 client computers. Requirement I am trying to get the list of all users from the DC to appear in the FG device. I understand that, for this I need to configure FSSO. FSSO Installed the Collector Agent in a PC running Windows 7. And then pushed the DC agent to the ADC. I chose not to push the Agent to DC. After the DC Agent installation was initialized, I was prompted for the IP address of the collector Agent. I provided the IP address of the PC on which the Collector Agent was installed. In DC Agent, I have mentioned the DC Agent option and not the polling option. Now when I look in the logged in users in the Collector Agent i can see only few users logged in. Say around 6 or 7. What does this mean? Will it only display the users who logged in afte the DC agent was installed? Web Filtering How can I do web filtering based on Groups. I want some groups to have full access. Some to have restricted access and some groups with no access. But the groups should be populated with the names from AD. Can anyone help me? Thanks AJ
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
Thanks & Regards ------------------------------ AJ Save Tree! Save Earth
1 REPLY 1
pmcginnis
New Contributor

You are right, it will only show the users that it is told logged in. They would have to log out and log back in and they should be authenticated correctly. as for the groups under User>Single Sign-On>FSSO Agent if you expand the tree you will see the groups available from your FSSO Agent (to add groups and such you do that with the collector software) you have to then create a fortinet group that contains the group from the fsso to do tis User>User Group>User Group new group give it a name (I named mine the same as the groups from the fsso) click the Fortinet Single Sign-on radio button the available members box will then be showing that has the groups from the fsso collector that it got from ad move the desired member to the members are for instance we have Teachers and Students here I will make 2 user groups one called Teachers with members MASE/Teachers and another called Students with memebers MASE/Students After you have made your groups you then have to set up the utm profiles go to utm profiles>web filder>profile and I made 2 web filter profiles called Teachers and Students and put whatever settings I wanted into them After the Profiles are made you then have to apply them to your firewall policy lol to do this go to Policy>Policy and idk what policies you may have but I have 1 policy, id recommend that you do create new nevermind just do create new Source Interface: wan1 Source Address: all Dest Interface: internal Dest Address: all service: any and then check the check box that says Enable Identity Based Policy new thing will appear check the Fortinet Single Sign-On box and then click Add this is where you connect the user groups that have been made to the web policies so for Students I do user group: Students service: any Schedule:always and then i check the check box that says UTM.. atleast for me you have to be using IE for it to show the stuff here, idk why it wont work in chrome. then Check the Enable Web Filter and then pick Students click okay and then repeat for the Teachers then click okay for the new policy now you will have 2 policies in your policy list, just in case I messed up all I did was right click on the old one and disable it that way if something went wrong all I would have to do is enable it
Top Kudoed Authors