Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
InfoAzi
New Contributor

Problems with webfiltering applied on security groups

Hi all,

I'm having some problems with configuring some policies using webfiltering, on a Fortigate 300E with 7.0.12 firmware version.

I already configured webfiltering and, if I apply it to a "simple" policy (source x destination y) it works good.

Now I have to make it work using LDAP users.

To do this, I added an LDAP server, then I added a user group "Test" that I linked at the security group "Test" (LDAP is working fine, I found it in the list so it is working correctly). .

Then I added the user group to the policy and... the policy gets skipped by the users part of that group.

How can I solve this issue?

Thank you in advance, let me know if it's enough.

Thank you!

7 REPLIES 7
smayank
Staff
Staff

Hello 

 Please check by running below command

diagnose test authserver ldap LDAP_SERVER user1 password

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fortigate-LDAP/ta-p/196280

InfoAzi

Hi, I did the test with success, the user can authenticate without problems.

The customer asked to use sso, which was already configured.

So I checked sso configuration and it is good. Then I tried to add the SSO group into the policy, and the result is the same.

Thank you

hbac
Staff
Staff

Hi @InfoAzi,

 

For local users behind the FortiGate, if you want to use LDAP groups, you need to configure FSSO. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FSSO-in-DC-Agent-mode/ta-p/25299...

 

Regards, 

InfoAzi
New Contributor

Hi @hbac ,

I was just saying in the last reply that it was configured. SSO agent is installed on the AD Server and the FSSO Agent on Windows AD Connector is configured on the Fortigate. It already shows the AD Groups. 

There are also the FSSO groups in the user groups field, and I tried to put them into the policy. The result is the same, if I add them, the policy gets skipped. Instead, without them it works..

Thank you for your reply!

hbac

@InfoAzi,

 

Do you see users under "Show Logon Users" of the FSSO agent? On the FortiGate, do you see users listed if you run this command "diagnose debug authd fsso list"? FSSO agent needs to send user's information/IP address to the FortiGate first. 

 

Regard,

EyponeDK
New Contributor

Hi @InfoAzi ,
Did you find any solution for this ? 

I have an identical issues, running with FSSO agenten, and using FSSO groups defined at the firewall.

I have security group blocking "online storage" named "AD-FW-Block-Storage"
The rule have been placed multiple places in the policy but looks like it keeps using the Network as source, and newer consider the ad group.
The firewall can see users are logged in at the firewall with "diagnose debug authd fsso list" .

 

Did you find any solution ?

hbac

Hi @EyponeDK,

 

Can you try moving the policy with "AD-FW-Block-Storage" group to the top of the list? You can also check forward traffic logs to see which policy it is matching. 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors