Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ali_Jassim
New Contributor III

Created on ‎02-24-2016 11:02 AM

v5.2.6,build711 (GA ) SSO_Guest_Users - traffic not match

Greetings to you

When I moved to 5.2.6 I faced this problem ! users not in domain it suppose appear as guest.

 

 

I configure FSSO - Agent installed in active directory, I can see users who on domain and that is fine , but users not in domain I can't see them and i want to control them by policy , As I know in version 5.0.6 I can control non-domain users by add this command in policy 

set ntlm enable

 

when I put policy SSO_Guest_Users in the top with source address for example 10.10.10.1/32 one pc

and other policy with source address (all) . it will not match the first policy , it will match the second policy ! and this is not what I want 

 

see this

and this is the config of policy of SSO_Guest_Users

policyid            : 7 uuid                : d6a1767e-d945-51e5-e2f6-26829bd4b44e srcintf:     == [ port16 ]     name: port16 dstintf:     == [ virtual-wan-link ]     name: virtual-wan-link srcaddr:     == [ PC_TEST_ ]     name: PC_TEST_ dstaddr:     == [ all ]     name: all rtp-nat             : disable action              : accept status              : enable schedule            : always schedule-timeout    : disable service:     == [ ALL ]     name: ALL utm-status          : enable logtraffic          : utm logtraffic-start    : disable capture-packet      : disable auto-asic-offload   : enable wanopt              : disable webcache            : disable session-ttl         : 0 vlan-cos-fwd        : 255 vlan-cos-rev        : 255 wccp                : disable ntlm                : enable ntlm-guest          : enable ntlm-enabled-browsers: fsso                : enable rsso                : disable fsso-agent-for-ntlm : groups:     == [ SSO_Guest_Users ]     name: SSO_Guest_Users users: devices: auth-path           : disable disclaimer          : disable natip               : 0.0.0.0 0.0.0.0 match-vip           : disable diffserv-forward    : disable diffserv-reverse    : disable tcp-mss-sender      : 0 tcp-mss-receiver    : 0 comments            : auth-cert           : auth-redirect-addr  : identity-based-route: block-notification  : disable custom-log-fields: tags: replacemsg-override-group: srcaddr-negate      : disable dstaddr-negate      : disable service-negate      : disable timeout-send-rst    : disable profile-type        : single av-profile          : webfilter-profile   : INTERNET LIMITED ACCESS USERS spamfilter-profile  : dlp-sensor          : ips-sensor          : application-list    : Block-social voip-profile        : icap-profile        : profile-protocol-options: default ssl-ssh-profile     : certificate-inspection traffic-shaper      : traffic-shaper-reverse: per-ip-shaper       : nat                 : enable permit-any-host     : disable permit-stun-host    : disable fixedport           : disable ippool              : disable central-nat         : disable redirect-url        :

 

any way one guy advice me to type this command in last policy (all)

        set srcaddr-negate enable

when I put this command it prevent other to access internet !!!!

Could you please help me ! sometimes I hate fortigate :(

 

 

 

 

 

 

5578
0 Kudos
5 REPLIES 5
hnmr
New Contributor III

Created on ‎02-25-2016 03:17 AM

after you have issued the command

set srcaddr-negate enable

you must change the source to PC_TEST_ in the same policy.

It would mean: everything but PC_TEST_

 

BR

Hermann Maurer

2369
0 Kudos
Ali_Jassim
New Contributor III
In response to hnmr

Created on ‎02-25-2016 11:48 AM

Dear Hermann Maurer

Thank you for your reply , but could you tell me if I have another subnet I don't want to effect with fsso

for example subnet 10.10.10.0/24 is used for fsso , and subnet 10.20.20.0/24 I don't want it to effect with fsso I mean i want to subnet to access internet without request authentication  how i can make this work ?

 

2369
0 Kudos
hnmr
New Contributor III
In response to Ali_Jassim

Created on ‎02-25-2016 11:54 AM

you can find the answer to your question in this KB article:

http://kb.fortinet.com/kb....do?externalID=FD36095

2369
0 Kudos
Ali_Jassim
New Contributor III
In response to hnmr

Created on ‎02-25-2016 12:00 PM

Dear Hermann Maurer

I already did the same , but dose not work with me ! did you test that ?

2369
0 Kudos
g_fonte
New Contributor
In response to hnmr

Created on ‎05-13-2016 07:35 AM

This will not resolve the issue as the negate function is focusing on the srcaddr and not on the user groups.

The only way to resolve this if it would be possible to set the negate on groups or if the device is not part of any group.

 

example:

set groups-negate enable

set nogroups-negate enable

 

but this needs to go for sure in a feature request and who knows when it will be released.

2369
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.