AD Integration

Mes-Lili2 · ‎09-22-2023

I am looking to add AD users and groups to firewall policies.

Do i need to use FSSO collector agent or can i just set a remote group in "user groups" via LDAP.

Many thanks

ebilcari · ‎09-23-2023

Most probably the port 445 is not opened. I found a good article created from one of my collogues that has some nice troubleshoot steps: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-cannot-connect-to-Active-D...

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Kush_Patel · ‎09-23-2023

Hello,

This might help : https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/802972

Regards.

Mes-Lili2 · ‎09-26-2023

It seems the Fortigate is trying to connect on SMBV1, this is not enabled on our DC's so need to force V2. I can only see docs on ssl vpn SMB so as i trawl away perhaps someone could point me in the right direction...

ebilcari · ‎09-26-2023

By default it should be disabled, you can verify it here :

GW (fsso-polling) # show full
config user fsso-polling

set smbv1 disable
set smb-ntlmv1-auth disable

This debug may help:

diag debug application fssod -1
diag debug enable

P.S Collector agent is still the recommended way of doing this :)

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Mes-Lili2 · ‎09-26-2023

output as below..

end
set smbv1 disable
set smb-ntlmv1-auth disable
next
end

but DC is still rejecting SMBV1 attempt.

Yes I am looking into FSSO Agent but polling should work...

TuncayBAS · ‎09-26-2023

It is best to use FSSO. Just using ldap as a local collector in Fortigate cannot fully manage AD traffic.

But if it uses FSSO, you can easily capture users' group changes and when there is more than one DC, it will be easier for you to manage them via FSSO.

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Mes-Lili2 · ‎09-26-2023

OK once again many thanks all for the info..

so... I have gone FSSO with collector and the collector to AD is working fine as can see all logged in users in collector logs.

I have set FSSO client to use collector and added lDAP server for groups.

when I go into a policy I can add the group seen by the FSSO but although I am a member of that group my policy fails. in log forwarding when group is not applied I can see my traffic allowed and my username in the source field... however ... I have noticed that it does not include the domainname\username like it does on the collector so perhaps this is my problem.

If the domain name does not show in user source, how am i supposed to differentiate between different domains,,

Many thanks in advance.... and yes I have downloaded many docs but to no avail.

Mes-Lili2 · ‎09-27-2023

OK got AD groups working by just letting FSSO agent populate/collect group info... I am now looking to see the command to show group membership

For palo alto .. show user group name <usergroupname>

I am also looking to see how to add individual AD users into policies...

any help much appreciated.

TuncayBAS · ‎09-27-2023

diagnose debug authd fsso list

You can see the users coming from FSSO with the command.

To use user groups in rules, "User & Authentication -> User Group -> Create New"

You select FSSO as your type and become a member of the relevant FSSO group.

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Mes-Lili2 · ‎09-27-2023

so can you only have AD groups in policies but not individual AD usernames...

I can add local users but can't see how to add single domain users