New groups created in AD not showing up in fortigate

clarkg · ‎05-13-2013

I have 2 3600c' s in an active-active setup with firmware v5.0,build6216 (GA), and am also using vdom' s. I have noticed recently that when I create new groups in AD (global security groups or universal security groups) they are not showing up in my User & Device/User/ User Group/available members, under my fortinet single sign on. I have attached a pic of where I am talking about. I have a ticket with support open for this, but was just curious if anyone has seen an issue like this before and how you fixed it. We rebooted both fortigates this weekend, because we were testing a new backup generator. I have also rebooted the FSSO agent, and the server that it is on, to no avail.

rwpatterson · ‎05-15-2013

ORIGINAL: Anne To my knowledge, the new groups you create in your AD do not automatically show up on the User & Device/User/ User Group/available members on the Fortigate. Those users need to generate a logon event which is passed onto Fortigate which populates the member List. Make sure that you logon your Domain with the new user accounts, followed by using " execute fsso refresh" and other debug commands mentioned above. Thanks Anne

The GROUPS are what' s not showing up. As a test, I created a group and then added it to my FSAE/FSSO allow filter. It showed up on my FGT about 60-90 seconds later. I just kept hitting the refresh icon on the ' User > Directory Service > Directory Service' window.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

clarkg · ‎05-15-2013

As a test, I created a group and then added it to my FSAE/FSSO allow filter

Ok, maybe I am missing someting. Sorry, I never setup the FSSO agent on the server, my network admin did that. Can someone show me where the fsso allow filter is. And which groups I would want to add to the allow filter? Do I just want to add any groups that I have a user identity policy for?

rwpatterson · ‎05-15-2013

See the picture. And yes, choose only the groups that the Fortigate needs to know about.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

clarkg · ‎05-16-2013

but if i dont put anything in the group filters, it should show all the groups?

rwpatterson · ‎05-16-2013

ORIGINAL: clarkg but if i dont put anything in the group filters, it should show all the groups?

That is correct. Are you sure the authentication is happening? Never mind that last question. You see the users from the CLI. I' m at a loss why the GUI shows no groups but the users appear in the CLI list. Try removing one of the FGT units (as a test) and see if the FSSO behaves any differently. I have seen issues with A-A configurations in the (not too recent) past.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

romanr · ‎05-23-2013

Hi, now I got the exact same case on a 300C running 5.0.2 - Just one new group not being visible! Was there any output fro your support case Clark? best regards, Roman

clarkg · ‎05-23-2013

Hi, now I got the exact same case on a 300C running 5.0.2 - Just one new group not being visible! Was there any output fro your support case Clark? best regards, Roman

No resolution yet, but I do have a tech working on it. My guess is its a bug in 5.0.2, cause I never had any issues with this before that update. That' s just conjecture though.

techguy · ‎08-20-2013

I don' t know if this will help anyone, but here' s what I figured out as I' ve been having a similar issue for quite a while and I' m still on the 4.3 code train. FSSO has a built-in limit of how many groups the firewall will support. On a 600C, that limit is a combined total of 1024 AD groups. That limit probably varies based on model. In my case, I had 4 domains providing a grand total of 1024 groups. Using the group filter, I was able to get my new groups to show up. In hindsight, I' m pretty sure this is why it' s recommend to implement the group filtering of the collector agent.