Hi all,
I'm having some problems with configuring some policies using webfiltering, on a Fortigate 300E with 7.0.12 firmware version.
I already configured webfiltering and, if I apply it to a "simple" policy (source x destination y) it works good.
Now I have to make it work using LDAP users.
To do this, I added an LDAP server, then I added a user group "Test" that I linked at the security group "Test" (LDAP is working fine, I found it in the list so it is working correctly). .
Then I added the user group to the policy and... the policy gets skipped by the users part of that group.
How can I solve this issue?
Thank you in advance, let me know if it's enough.
Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Please check by running below command
diagnose test authserver ldap LDAP_SERVER user1 password
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fortigate-LDAP/ta-p/196280
Created on 10-24-2023 06:58 AM Edited on 10-24-2023 07:33 AM
Hi, I did the test with success, the user can authenticate without problems.
The customer asked to use sso, which was already configured.
So I checked sso configuration and it is good. Then I tried to add the SSO group into the policy, and the result is the same.
Thank you
Hi @InfoAzi,
For local users behind the FortiGate, if you want to use LDAP groups, you need to configure FSSO. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FSSO-in-DC-Agent-mode/ta-p/25299...
Regards,
Hi @hbac ,
I was just saying in the last reply that it was configured. SSO agent is installed on the AD Server and the FSSO Agent on Windows AD Connector is configured on the Fortigate. It already shows the AD Groups.
There are also the FSSO groups in the user groups field, and I tried to put them into the policy. The result is the same, if I add them, the policy gets skipped. Instead, without them it works..
Thank you for your reply!
Do you see users under "Show Logon Users" of the FSSO agent? On the FortiGate, do you see users listed if you run this command "diagnose debug authd fsso list"? FSSO agent needs to send user's information/IP address to the FortiGate first.
Regard,
Hi @InfoAzi ,
Did you find any solution for this ?
I have an identical issues, running with FSSO agenten, and using FSSO groups defined at the firewall.
I have security group blocking "online storage" named "AD-FW-Block-Storage"
The rule have been placed multiple places in the policy but looks like it keeps using the Network as source, and newer consider the ad group.
The firewall can see users are logged in at the firewall with "diagnose debug authd fsso list" .
Did you find any solution ?
Hi @EyponeDK,
Can you try moving the policy with "AD-FW-Block-Storage" group to the top of the list? You can also check forward traffic logs to see which policy it is matching.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.