Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gcarvalho
New Contributor III

Using AD Group in Firewall Policies

Hello Everyone,

 

I have installad the FSSO Agent and DC Agent in a Domain Controller following the guide below, except for the Working Mode in the DC Agent, where I have set the "Polling Mode" intead DC Agent Mode.

 

After the configuration, I can see all the AD Groups in the Fortigate. So, I have add the group "Domain Users" in the rule to access the Internet, but when I did that all users have lost internet access.

 

To test, I created a user group with the Firewall Type, mapping it with the Domain Users' group in the External Group option, selecting the configured LDAP Server. With this group in the policy, it works.

 

Anyone knows why the group retrieved directly from the AD (FSSO Agent) didn't work, but the mapped local user group works? The working mode of the DC Agent I have set can be the problem?

Cheers,
Gui
Cheers,Gui
2 Solutions
Anthony_E
Community Manager
Community Manager

Hello,

 

Thanks a lot for your contribution in Community.

 

May I propose you to have a look in our Knowledge Base, under this section:

 

https://community.fortinet.com/t5/FortiGate/tkb-p/TKB20?pageNum=1

 

You will find articles concerning FortiGate.

 

If you do not find any answers do not hesitate to come back to us, we will find somebody to help you.

 

Regards,

Anthony-Fortinet Community Team.

View solution in original post

Debbie_FTNT
Staff
Staff

Hey gcarvalho,

in principle, you should be ablet o use the AD groups in policies outright starting somewhere in 6.2. There were a few reported issues of this not working at all times, however.

can you let us know the following?

- what firmware version is your FortiGate?

- are you using the AD groups in regular policies, or proxy policies?

-> I've come across a few instances of the AD groups not working in proxy policies when they work just fine in regular policies

 

Thanks!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello,

 

Thanks a lot for your contribution in Community.

 

May I propose you to have a look in our Knowledge Base, under this section:

 

https://community.fortinet.com/t5/FortiGate/tkb-p/TKB20?pageNum=1

 

You will find articles concerning FortiGate.

 

If you do not find any answers do not hesitate to come back to us, we will find somebody to help you.

 

Regards,

Anthony-Fortinet Community Team.
Debbie_FTNT
Staff
Staff

Hey gcarvalho,

in principle, you should be ablet o use the AD groups in policies outright starting somewhere in 6.2. There were a few reported issues of this not working at all times, however.

can you let us know the following?

- what firmware version is your FortiGate?

- are you using the AD groups in regular policies, or proxy policies?

-> I've come across a few instances of the AD groups not working in proxy policies when they work just fine in regular policies

 

Thanks!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
gcarvalho
New Contributor III

Just to share with the community, I had changed the Working Mode to Agent intead Polling. I also changed the policy mode from Proxy to Flow-based. After that, I was able to use the AD groups in the policies with success.

Cheers,
Gui
Cheers,Gui
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors