Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

LDAP Connected but I cannot assign in Firewall any AD groups

Hi,

I have addedd my AD LDAP it have status connected, now I would like to create firewall policy with source as AD users groups, but I have not here any group from AD listed, how could I troubleshoot this?

17 REPLIES 17
Alivo__FTNT

Hello, Thank you.

There is nothing in adgrp > the reason you do not see anything in policy in regards of the AD groups. That needs to be fixed. I suggest to edit the fabric connector you have for polling, > select edit groups > on the panel whosing you AD groups right click on desired group and select Add. Hit OK.

Then the: sh us adgrp should show you the ldap groups

Best Regards,

Alivo

livo

Tutek_OLD

But I already did this, selected my two groups in agentlees pooler configuration:

 

but after confirmation OK, then OK, when I enter configuration again I have Users/Groups = 0

Alivo__FTNT

Hello Tutek,

Thank you. It is a bug in FortiOS 6.4.5. I could reproduce it.

It should show the selected groups after clicking on OK but it does not.

As soon as you click ok again for example then the adgrp table is deleted.

Workaround might be to: 1. select the groups again, click ok and don't configure the groups again

in: sh us adgrp    > the groups should be present

2. use CLI to configure the groups:

(Example with my ad groups)

 

co user fsso-polling

edit 1

config adgrp

edit "CN=Administrators,CN=Builtin,DC=alivo,DC=com"

next

edit "CN=users,CN=Builtin,DC=alivo,DC=com"

end

end

 

Then check the policy. Any edit of fsso polling fabric connector will likely remove these groups again. 3. use Agent base fsso

 

Best Regards,

Alivo

 

livo

Tutek_OLD

When I try to edit "config user fsso-pooling, then I see that I have here adgrp configured:

 

so why I can't see it in my firewall policies?

Alivo__FTNT

Hello Tutek,

 

What is the source interface in the policy?

Best Regards,

Alivo

livo

Tutek_OLD

You mean firewall policy?

I would like to set internet access only to group AD "Domain Users":

source interface is my port17 (lan) 

source is (all) then I click + to add my Domain Users groups, the clisk "Users" in Select Entry and I don't have any of my AD groups here.

Alivo__FTNT

Hello Tutek,

Is suggest opening support ticket.

Best Regards,

Alivo

livo

ATammam
New Contributor

I have the same problem and i cannot find a solution!

Labels
Top Kudoed Authors