Was hoping for some advice regarding filtering specific AD user groups using an SSO group I have created.
This is what I have done so far - Set up a collector agent which is hooked up to AD and it talking with the Fortigate. Here I can view all the logins and filter by IP address. Have created the SSO user Group on the fortigate and when I run command 'diagnose debug authd fsso list' I can see the SSO logins from the AD group that is selected.
The problem comes when i am trying to filter outbound http traffic for this specific SSO group.... In IPv4 policies I edit the outbound http rule for the correct source/destination interfaces however when I try and select the SSO group as the Source and 'ALL' as the destination, I get the error 'One address or address group is requried'. I dont really want to add another address group as these are being dealt with in other polices? Is there any way around this?
The other thing is when I run the 'diagnose debug authd fsso list' I see the SSO logins but under filtered it shows 0.
Any help/ideas/thoughts would be greatly appreciated!
I don't know any workaround for your problem, you cannot leave the address group field empty, but we have a similar situation within a citrix environment. The way I solve this is to create seperate rules for the different SSO Groups. Source is "citrix address group" "sso user group 1, 2, 3, ..., X", destination is WAN. And the last policy below all others is: source "citrix Address group" "sso group All Users". -> I used an AD Group, where all our AD Users are member of. So every AD user that doesn't belong to any of the upper AD Groups, belogs automatically to the last policy rule. So you can specify seperate Webfilters, Ports, destinations for one or more special SSO groups and all the rest belongs to the "all users" rule.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.