not just FSSO/FSAE but LDAP and Radius work as well. We use LDAP for outbound internet authentication (using an Identity Policy) and RADIUS (for 2-factor token use) for SSLVPN inbound traffic. Both will show the actual username in the logs when it relates to that specific traffic.

TopJimmy, Could you give me some info on how to set that up using LDAP? We already have LDAP setup on the FortiGate/root/user/remote, but we' re not getting any " user" info... I' ve looked at both the FSSO and LDAP documentation, but I don' t find it very clear at all. rict

Here is the quick and dirty boiled down to 3 steps. There are more but Fortinet wrote a good guide on user auth so I' ll keep mine to just 3 steps. ;-) One thing to note first: We firewall traffic to various interfaces but we only require authentication to the Internet. Traffic to the internet will show the username but traffic to other interfaces will not. I still use IP' s to track those. 1.) In your FGT, go to User>Remote>LDAP and create the settings for your LDAP server. I' ve got 4 of 5 listed in mine....each used for a different WinAD box. We used to use Novell so I had a few in there too and they worked fine. Give it name, point it to the ldap server name or IP, port and then some other basic LDAP info is required. CN Identifier, DN, etc. If your LDAP is open, you can do an anonymous bind or a simple bind. Ours is closed and requires a username/password/CA Cert to connect so you need those too. The username has to be in Fully Qualified notation and the CA cert needs to be installed in the CA section under System>Certificates. Once it' s working properly you should be able to click on Test and then the folder icon next to DN and walk the tree. If you can' t then you have settings wrong and need to keep at it until it works. See example below. 2.) Create a Group (Users>Group) pointing to th the " Remote" server. This is pretty easy until you start messing with Groups in your LDAP. Then, for me since I' m not an LDAP/AD expert, I got it working via the trial-error method. Again, more example below. 3.) The final step is creating an Identity Based Policy (Policy>policy) and pointing it to the Group you just created. See below. LDAP Server: Group: Policy: If you do SSL VPN and want to use LDAP to auth, you do the same steps but under Group you check the Allow SSL-VPN Access and select the SSLVPN portal you hopefully already built.

TopJimmy, Thanks for that! I did read thru the " User Authentication" Handbook, but it didn' t say anything about needing an " Identity Based Policy" for general " user identification" in the logs. That definately makes sense for your purposes. But it sounds like you' re using the policy for a slightly different purpose that what we need; for us, we' re probably going to need to use the FSSO/FSAE function. As soon as I get the other, more critical logging problems we' re having with the FortiNet systems worked out, this function is one that I could certainly use.