Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
clarkg
New Contributor

New groups created in AD not showing up in fortigate

I have 2 3600c' s in an active-active setup with firmware v5.0,build6216 (GA), and am also using vdom' s. I have noticed recently that when I create new groups in AD (global security groups or universal security groups) they are not showing up in my User & Device/User/ User Group/available members, under my fortinet single sign on. I have attached a pic of where I am talking about. I have a ticket with support open for this, but was just curious if anyone has seen an issue like this before and how you fixed it. We rebooted both fortigates this weekend, because we were testing a new backup generator. I have also rebooted the FSSO agent, and the server that it is on, to no avail.
27 REPLIES 27
romanr
Valued Contributor

Hi, if AD groups don' t show up instantly I often use the following CLI command to refresh the groups available in the Fortigate: diag debug auth fsso refresh-groups with diag debug auth fsso list you will get the loggend in users with their available groups. It is recommended to use the " Group Filter" feature on the FSSO agent to only show the used groups to the Fortigate! Maybe it is not included there! br, Roman
clarkg
New Contributor

The tech that was webex' ed in last week did run those commands, but that didn' t do anything. I created the group a week ago now, so I would think they would have shown up by now.
romanr
Valued Contributor

I created the group a week ago now, so I would think they would have shown up by now.
Do you have a group filter on the FSSO agent, that maybe excludes this group? If it was newly created and has not been added there, then it won' t show up - only if you really show all groups to the FGT - which is not best practice, as you send some additional mem&cpu load to your Fortigate. br, Roman
rwpatterson
Valued Contributor III

I had a similar issue I just solved this past weekend. Let me back up a bit... A few weeks past, I was running my 1000As in A-A mode. Internet browsing was spotty and FTP download speed sucked. After whining a bit here on the forums, a couple of members pointed me towards an old post that said that A-A mode has had issues in that respect. I changed my configuration to A-P and life has been great ever since. The problem was that the FSAE agent was still looking at the (now) backup unit for it' s user groups. It worked because they were cached, but user logins were being reported very slowly if at all. I discovered this last night, and pointed my FSAE agent to the primary unit and that took care of my issues. Perhaps you need to add the second unit under the FSSO Group Filter list (if you are using group filtering). This is where I noticed it was getting it' s group information from the backup unit. Give it a shot.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
clarkg

I am not currently using group filtering. I don' t see a way to specify which FGT unit the fsso agent looks at. I have it monitoring my DC' s, and it says it' s seeing them all. On my 3600 cluster, under authentication single sign on, I have the correct primary agent IP listed, and I only have 1 fsso agent installed anyway.
rwpatterson
Valued Contributor III

If your FGT doesn' t need to see all the groups, I would recommend you use the group filtering, and eliminate all the added baggage. Only pass the groups the FGT needs to see. Also helps a bit when debugging via CLI.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
clarkg

If your FGT doesn' t need to see all the groups, I would recommend you use the group filtering, and eliminate all the added baggage. Only pass the groups the FGT needs to see. Also helps a bit when debugging via CLI
Which groups do I want it to see? Only ones that have a specific user policy applied to them?
romanr
Valued Contributor

Can you do a: diag deb auth fsso list-users and have a look if the group shows up there with a user, that belongs to the group? I also remember once having had troubles with group names or DNs that were too long in total... They just didn' t show up correctly - maybe this info can also help you ... br, Roman
clarkg
New Contributor

Can you do a: diag deb auth fsso list-users and have a look if the group shows up there with a user, that belongs to the group? I also remember once having had troubles with group names or DNs that were too long in total... They just didn' t show up correctly - maybe this info can also help you ... br, Roman
Ok. When I do that, I see the user and it does show he is a member of the group I created that is not showing up.
Labels
Top Kudoed Authors