1 Solution
Hey Fred,
welcome to the Fortinet Community :).
Not the easiest topic you're diving into from the very start, I hope I can break it down a bit for you and provide the tools so you can implement a setup that suits your environment.
To start off:
- FortiGate can match users to different policies based on AD Group membership, as you already found
- for this to work, the FortiGate has to know which users are currently logged in and what IPs they are associated with
-> this can happen through things like explicit/transparent proxy, captive portal, VPN, or FSSO
- In a company with an exisisting AD infrastructure, FSSO usually integrates quite seamlessly
- FSSO works by reading user login events from domain controller in some manner (there are a few different methods) and then adding those users and the workstation/IP they are associated with to its logged-on user list
-> there is an LDAP lookup involved to get group information
-> policies can then be matched based on that group information
Here's a forum thread discussing basically the same: https://community.fortinet.com/t5/Fortinet-Forum/First-time-setup-putting-AD-Usernames-Groups-into-W...
As a fairly straightforward FSSO setup, you could do the following:
1. set up a Collector Agent on a domain controller, and configure it to poll the relevant domain controllers (pretty good guide here: https://www.fortinetguru.com/2019/05/configuring-the-fsso-collector-agent-for-windows-ad-2/)
2. Set up FortiGate to connect to the Collector Agent (https://docs.fortinet.com/document/fortigate/6.4.9/administration-guide/460616/fortinet-single-sign-...)
You should start seeing users under Dashboard > Users&Devices > Firewall Users (if you toggle FSSO on).
If you don't see any groups, do the following:
- go to Users & Authentication > User Groups, and create a new user group (of type FSSO)
- you should have some groups you can add to the firewall group object
- the groups you can add are the filter groups set in the FSSO connector
You can then use these group objects in policies to ensure users match into the correct policies and webfilter profiles :)
As a tip: Set up FSSO and groups and everything, but don't add to policies yet. That way you can already see user information, but if anything is misconfigured or missing it won't have any impact. You can check that you have all the user and group information present and there are no issues or unexpected missing users (or logins getting replaced by service accounts for example) and once you're sure the user information is good, then you can add it to the policies to enforce the desired webfilter profiles.
Let us know if anything is still unclear.
Hey Fred,
welcome to the Fortinet Community :).
Not the easiest topic you're diving into from the very start, I hope I can break it down a bit for you and provide the tools so you can implement a setup that suits your environment.
To start off:
- FortiGate can match users to different policies based on AD Group membership, as you already found
- for this to work, the FortiGate has to know which users are currently logged in and what IPs they are associated with
-> this can happen through things like explicit/transparent proxy, captive portal, VPN, or FSSO
- In a company with an exisisting AD infrastructure, FSSO usually integrates quite seamlessly
- FSSO works by reading user login events from domain controller in some manner (there are a few different methods) and then adding those users and the workstation/IP they are associated with to its logged-on user list
-> there is an LDAP lookup involved to get group information
-> policies can then be matched based on that group information
Here's a forum thread discussing basically the same: https://community.fortinet.com/t5/Fortinet-Forum/First-time-setup-putting-AD-Usernames-Groups-into-W...
As a fairly straightforward FSSO setup, you could do the following:
1. set up a Collector Agent on a domain controller, and configure it to poll the relevant domain controllers (pretty good guide here: https://www.fortinetguru.com/2019/05/configuring-the-fsso-collector-agent-for-windows-ad-2/)
2. Set up FortiGate to connect to the Collector Agent (https://docs.fortinet.com/document/fortigate/6.4.9/administration-guide/460616/fortinet-single-sign-...)
You should start seeing users under Dashboard > Users&Devices > Firewall Users (if you toggle FSSO on).
If you don't see any groups, do the following:
- go to Users & Authentication > User Groups, and create a new user group (of type FSSO)
- you should have some groups you can add to the firewall group object
- the groups you can add are the filter groups set in the FSSO connector
You can then use these group objects in policies to ensure users match into the correct policies and webfilter profiles :)
As a tip: Set up FSSO and groups and everything, but don't add to policies yet. That way you can already see user information, but if anything is misconfigured or missing it won't have any impact. You can check that you have all the user and group information present and there are no issues or unexpected missing users (or logins getting replaced by service accounts for example) and once you're sure the user information is good, then you can add it to the policies to enforce the desired webfilter profiles.
Let us know if anything is still unclear.
