Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mikaellorenzo12
New Contributor

Policy not working on connected Zentyal LDAP server

We already connected the AD of Zentyal server using the LDAP, but the policy is not working for the users. We use FSSO client for the connection but the fsso client can't see the logged on users.

 

Can someone help me? Thanks!.

5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi,

how about some more complete config overview or config snippets?

It's completely unclear if your policy is normal firewall or explicit proxy policy. If group you have mentioned is LDAP or FSSO type. And also what is supposed to be authenticated with that group.

 

If it's FSSO, then you need connection first to get authenticated somewhere where SSO Agent or Collector can spot and process logon and create respective FSSO user record on collector and push it to connected FortiGates.

So if group is FSSO then you should have users in 'diag debug auth fsso list' and as fsso type in 'diag fire auth list'. If you do not have FSSO users, then there is problem in SSO setup.

 

If you use those groups in any active auth for VPN or WLC then those can not be SSO.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

mikaellorenzo12

i can see my DC so my fortigate and AD server are connected, but i cant see who is logged on. I only do in my fortigate is LDAP connection and i follow all tutorial online, i don't know why i can't see the users who logged in

xsilver_FTNT

If you do have just one DC 192.168.3.13 then I would guess that you do not audit successful logons on DC.

If you do have more than this one DC 192.168.3.13 handling your domain and you run in DCAgent mode as presence of agent suggests, then you need DCAgents installed on all the DC servers.

If you do  ping -4 -n 2 %logonserver:~2%  from your workstation then you should see IP of the DC used by workstation for login verification. So if you do see 192.168.3.13 then logon server was chosen OK and you should see user logon data also in Windows Security Event log. If you do not see any logon event, then audit is disabled.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

mikaellorenzo12

I have 2 DC but i turned off the other DC so i'm working with 1 DC now, and i can ping my logon server using the command you gave. BTW i'm using Zentyal, a linux based server so i think i can't install DCagent in my DC

xsilver_FTNT

wait a sec, that Zentyal is somehow emulating/doing DC job ?

If that is your domain controller, not a Microsoft Server, then I guess it also do not generate correct/expected logon events and so we have nothing to work with in FSSO.

FSSO with polling or in DCAgent mode is built to work with Microsoft Servers and list of compatible ones is part of FortiOS Release Notes compatibility/interoperability section. Anything else might work but is not tested, not guaranteed and not supported solution.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors