Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
clarkg
New Contributor

Created on ‎05-13-2013 07:13 AM

New groups created in AD not showing up in fortigate

I have 2 3600c' s in an active-active setup with firmware v5.0,build6216 (GA), and am also using vdom' s. I have noticed recently that when I create new groups in AD (global security groups or universal security groups) they are not showing up in my User & Device/User/ User Group/available members, under my fortinet single sign on. I have attached a pic of where I am talking about. I have a ticket with support open for this, but was just curious if anyone has seen an issue like this before and how you fixed it. We rebooted both fortigates this weekend, because we were testing a new backup generator. I have also rebooted the FSSO agent, and the server that it is on, to no avail.
Preview file
93 KB
20022
0 Kudos
27 REPLIES 27
rwpatterson
Valued Contributor III
In response to Anne

Created on ‎05-15-2013 05:02 PM

ORIGINAL: Anne To my knowledge, the new groups you create in your AD do not automatically show up on the User & Device/User/ User Group/available members on the Fortigate. Those users need to generate a logon event which is passed onto Fortigate which populates the member List. Make sure that you logon your Domain with the new user accounts, followed by using " execute fsso refresh" and other debug commands mentioned above. Thanks Anne
The GROUPS are what' s not showing up. As a test, I created a group and then added it to my FSAE/FSSO allow filter. It showed up on my FGT about 60-90 seconds later. I just kept hitting the refresh icon on the ' User > Directory Service > Directory Service' window.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2073
0 Kudos
clarkg
New Contributor
In response to rwpatterson

Created on ‎05-15-2013 06:03 PM

As a test, I created a group and then added it to my FSAE/FSSO allow filter
Ok, maybe I am missing someting. Sorry, I never setup the FSSO agent on the server, my network admin did that. Can someone show me where the fsso allow filter is. And which groups I would want to add to the allow filter? Do I just want to add any groups that I have a user identity policy for?
2073
0 Kudos
rwpatterson
Valued Contributor III
In response to clarkg

Created on ‎05-15-2013 09:24 PM

See the picture. And yes, choose only the groups that the Fortigate needs to know about.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Preview file
200 KB
2073
0 Kudos
clarkg
New Contributor
In response to rwpatterson

Created on ‎05-16-2013 06:21 AM

but if i dont put anything in the group filters, it should show all the groups?
2073
0 Kudos
rwpatterson
Valued Contributor III
In response to clarkg

Created on ‎05-16-2013 07:33 AM

ORIGINAL: clarkg but if i dont put anything in the group filters, it should show all the groups?
That is correct. Are you sure the authentication is happening? Never mind that last question. You see the users from the CLI. I' m at a loss why the GUI shows no groups but the users appear in the CLI list. Try removing one of the FGT units (as a test) and see if the FSSO behaves any differently. I have seen issues with A-A configurations in the (not too recent) past.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2074
0 Kudos
romanr
Valued Contributor
In response to rwpatterson

Created on ‎05-23-2013 12:18 AM

Hi, now I got the exact same case on a 300C running 5.0.2 - Just one new group not being visible! Was there any output fro your support case Clark? best regards, Roman
2074
0 Kudos
clarkg
New Contributor
In response to romanr

Created on ‎05-23-2013 05:46 AM

Hi, now I got the exact same case on a 300C running 5.0.2 - Just one new group not being visible! Was there any output fro your support case Clark? best regards, Roman
No resolution yet, but I do have a tech working on it. My guess is its a bug in 5.0.2, cause I never had any issues with this before that update. That' s just conjecture though.
2074
0 Kudos
techguy
New Contributor
In response to rwpatterson

Created on ‎08-20-2013 04:07 PM

I don' t know if this will help anyone, but here' s what I figured out as I' ve been having a similar issue for quite a while and I' m still on the 4.3 code train. FSSO has a built-in limit of how many groups the firewall will support. On a 600C, that limit is a combined total of 1024 AD groups. That limit probably varies based on model. In my case, I had 4 domains providing a grand total of 1024 groups. Using the group filter, I was able to get my new groups to show up. In hindsight, I' m pretty sure this is why it' s recommend to implement the group filtering of the collector agent.
2074
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.