Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
clarkg
New Contributor

Created on ‎05-13-2013 07:13 AM

New groups created in AD not showing up in fortigate

I have 2 3600c' s in an active-active setup with firmware v5.0,build6216 (GA), and am also using vdom' s. I have noticed recently that when I create new groups in AD (global security groups or universal security groups) they are not showing up in my User & Device/User/ User Group/available members, under my fortinet single sign on. I have attached a pic of where I am talking about. I have a ticket with support open for this, but was just curious if anyone has seen an issue like this before and how you fixed it. We rebooted both fortigates this weekend, because we were testing a new backup generator. I have also rebooted the FSSO agent, and the server that it is on, to no avail.
Preview file
93 KB
16399
0 Kudos
27 REPLIES 27
clarkg
New Contributor
In response to romanr

Created on ‎05-13-2013 09:06 AM

Can you do a: diag deb auth fsso list-users and have a look if the group shows up there with a user, that belongs to the group? I also remember once having had troubles with group names or DNs that were too long in total... They just didn' t show up correctly - maybe this info can also help you ... br, Roman
I don' t think it' s the length, cause I have groups in there that are much longer.
1313
0 Kudos
romanr
Valued Contributor

Created on ‎05-13-2013 08:58 AM

It is recommended to use the group filter in the FSSO agent to only make those groups visible to the Fortigate, which are being used to in the firewall! Otherwise you send a lot more information to the firewall, than it needs - which may result in perfomance loss! br, Roman
1313
0 Kudos
romanr
Valued Contributor

Created on ‎05-13-2013 09:23 AM

hm... and you don' t have any special characters on your group name... and this group is also from the same AD group type like the ones that work for you?
1312
0 Kudos
clarkg
New Contributor
In response to romanr

Created on ‎05-13-2013 09:31 AM

hm... and you don' t have any special characters on your group name... and this group is also from the same AD group type like the ones that work for you?
No special characters. In fact, this morning, I deleted the group, and recreated it with no spaces. And yes, I have many other global and universal security groups that work just fine.
1312
0 Kudos
rwpatterson
Valued Contributor III
In response to clarkg

Created on ‎05-13-2013 10:18 AM

Perhaps the browser you are using is caching artifacts...since you can see it from the GUI.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1312
0 Kudos
clarkg
New Contributor
In response to rwpatterson

Created on ‎05-14-2013 06:09 AM

Perhaps the browser you are using is caching artifacts...since you can see it from the GUI.
Tried IE, chrome and firefox. Same result in all of them.
1312
0 Kudos
rwpatterson
Valued Contributor III
In response to clarkg

Created on ‎05-14-2013 06:55 AM

ORIGINAL: clarkg Tried IE, chrome and firefox. Same result in all of them.
Which versions? Check the release notes for your version of code. V4.3.0 states: IE 8+ Firefox 3.5+ Chrome is not officially supported. V4.3.11 states: Supported web browsers • Microsoft Internet Explorer 8, and 9 • Mozilla FireFox 15.0, and 16.0 Chrome is not officially supported. V5.0.0 states: Supported web browsers • Microsoft Internet Explorer 8 and 9 • Mozilla FireFox 15.0 and 16.0 • Google Chrome 22.0

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1312
0 Kudos
clarkg
New Contributor
In response to rwpatterson

Created on ‎05-14-2013 09:31 AM

V5.0.0 states: Supported web browsers • Microsoft Internet Explorer 8 and 9 • Mozilla FireFox 15.0 and 16.0 • Google Chrome 22.0
Hmmm. well, I was on IE 10, firefox 21 and chrome 26. I reverted to IE9, and still same error
1313
0 Kudos
romanr
Valued Contributor

Created on ‎05-14-2013 02:05 AM

I din' t have any further clue. Hope you get soon a good result with your support case. Please keep us updated on this trouble!! br, Roman
1313
0 Kudos
Anne
New Contributor III

Created on ‎05-15-2013 02:09 PM

To my knowledge, the new groups you create in your AD do not automatically show up on the User & Device/User/ User Group/available members on the Fortigate. Those users need to generate a logon event which is passed onto Fortigate which populates the member List. Make sure that you logon your Domain with the new user accounts, followed by using " execute fsso refresh" and other debug commands mentioned above. Thanks Anne
1313
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.