Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Web filtering for specific AD groups using SSO

Hi All, 


Was hoping for some advice regarding filtering specific AD user groups using an SSO group I have created.


This is what I have done so far - Set up a collector agent which is hooked up to AD and it talking with the Fortigate. Here I can view all the logins and filter by IP address. Have created the SSO user Group on the fortigate and when I run command 'diagnose debug authd fsso list' I can see the SSO logins from the AD group that is selected. 


The problem comes when i am trying to filter outbound http traffic for this specific SSO group.... In IPv4 policies I edit the outbound http rule for the correct source/destination interfaces however when I try and select the SSO group as the Source and 'ALL' as the destination, I get the error 'One address or address group is requried'. I dont really want to add another address group as these are being dealt with in other polices? Is there any way around this?


The other thing is when I run the 'diagnose debug authd fsso list' I see the SSO logins but under filtered it shows 0. 


Any help/ideas/thoughts would be greatly appreciated! 

New Contributor

Hi freelander,


I don't know any workaround for your problem, you cannot leave the address group field empty, but we have a similar situation within a citrix environment. The way I solve this is to create seperate rules for the different SSO Groups. Source is "citrix address group" "sso user group 1, 2, 3, ..., X", destination is WAN. And the last policy below all others is: source "citrix Address group" "sso group All Users". -> I used an AD Group, where all our AD Users are member of. So every AD user that doesn't belong to any of the upper AD Groups, belogs automatically to the last policy rule. So you can specify seperate Webfilters, Ports, destinations for one or more special SSO groups and all the rest belongs to the "all users" rule.