Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mes-Lili2
New Contributor III

Created on ‎09-22-2023 04:40 AM

AD Integration

I am looking to add AD users and groups to firewall policies.

Do i need to use FSSO collector agent or can i just set a remote group in "user groups" via LDAP.

Many thanks

Labels:
2230
0 Kudos
21 REPLIES 21
gsekar
Staff
Staff

Created on ‎09-22-2023 04:44 AM

Hi

You can configure remote user group via the LDAP please refer the below document for configuration .

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-...

 

 

1028
Mes-Lili2
New Contributor III
In response to gsekar

Created on ‎09-22-2023 04:47 AM

Thanks for the reply, this shows me how to add user groups into policies but my firewall is only seeing me as an ip address so i need to enable user identification and this is what i need advice on. thanks again..

1023
0 Kudos
Mes-Lili2
New Contributor III
In response to gsekar

Created on ‎09-22-2023 04:50 AM

Perhaps i need to enable the "poll active directory server"

1020
0 Kudos
mle2802
Staff
Staff

Created on ‎09-22-2023 06:28 AM

Hi @Mes-Lili2

As said in the document "Users that have been imported from the LDAP server, can be used to enforce user based policies as permission sets and allow VPN connections", this is use case for VPN policy. In order to have policy based on user, you may want to take a look at FSSO or active directory polling. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/888827/poll-active-directory...

Regards,
Minh

1002
ebilcari
Staff
Staff

Created on ‎09-22-2023 08:17 AM

If you want to do what is called passive authentication, apply policies based on AD user groups without asking the user to authenticate you have to use FSSO. This is explained in the documentation guide. You can configure FGT to poll directly the AD for events or install a collector agent on the AD (better scalability):

polling.PNG

Basically FSSO will tie the user with its IP based on their domain logins events, than the user is tied to a FSSO group that is applied to a policy.

fsso-user.PNGLDAP groups are used for active authentication, users will be prompted to enter their credentials again.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
984
Mes-Lili2
New Contributor III
In response to ebilcari

Created on ‎09-22-2023 08:23 AM

Yes I am now polling the AD server directly but my authentication seems to be failing. I am using UPN as suggested in documentation and testing directly on an AD sever i can authenticate but via tha active directory connector within external connectors it fails. thanks all for your help here..

979
0 Kudos
ebilcari
Staff
Staff
In response to Mes-Lili2

Created on ‎09-22-2023 08:41 AM Edited on ‎09-22-2023 08:44 AM

Is the LDAP server configured correctly? Can you share the output of this command:

diagnose debug fsso-polling detail 1

The local firewall on the server should allow the connection and the user credentials should have privileges to read the events.

I would still suggest to download and use FSSO collector, is free to use and you can get it from the support page

fsso collector.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
974
mle2802
Staff
Staff
In response to Mes-Lili2

Created on ‎09-22-2023 08:44 AM

Hi @Mes-Lili2
For agentless troubleshooting, please refer to this document for more detail "https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-p...

Regards,
Minh

972
Mes-Lili2
New Contributor III
In response to mle2802

Created on ‎09-23-2023 12:55 AM

Thanks all...  

Thus far...debug.png

The LDAP seems ok as we are using it for admin access..

 

Unfortunately DC management is by a different company so will be asking them to check the given credentials on Monday. This also makes the download FSSO not an easy option.

Many thanks to you all. I will of course update soon.

 
 
 

 

 

951
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.