If you have three DCs and a lot of groups, have you looked at setting up a FSSO server? You do not need a license for it, just download the agent to run on a windows server (not a DC) and then install the DC agents. The FSSO server will collect all the necessary data from the DCs and just send the results to the Fortigate. Removes a lot of the overhead from the fortigate.
This is an older doc but the process is pretty much the same now:
OK, after some thought, I see how this would reduce the number of objects by a factor of 3; since there would be only one External Connector needed for the one AD Connector on the FSSO server.
I guess that an AD User is one connector object and an AD Group is one connector object - no matter how many members in the Group.
So, this raises a question:
If there are 3 DC Agents each on one of the 3 DCs then can the FSSO Agent on one of them be the only FSSO Agent - instead of on a separate server? You said:
"download the agent to run on a windows server (not a DC)"
Somehow that seems counterintuitive when the DC-resident FSSO Agents have to work - the difference being that they don't have to collect from other DCs? But they seem to! Would that only entail setting up one External Connector on the Fortigate?
The FSSO is a collector server and should not be run on a DC. Once you setup the FSSO collector server, it will install DC Agents on each DC you want to manage to pull the data in. You can pick which DCs to montior (you will want to do all in your domain). Then in the Fortigate you will use the FSSO connector (not AD Connector) to have the fortigate get the FSSO details.
The FSSO agent server just runs as the middle man collecting the data and sending it to Fortigate so the firewall doesn't have to process that data.
Would definitely suggest avoid using the built-in fsso poller(AD Connector) as it has a lot of limitations and is usually used only for test/demo purposes. FSSO Collector agent on the other side has a wide range of settings and flexibility, and is scalable and robust compared to the local poller. A list of differences can be found here:
@aahmadzada Thank you for the suggestion! I must say that I have been and remain somewhat confused because of all the variation in terms being used. This question and replies seems like a good example.
On the Fortigate / External Connectors there appear to be 2 choices in our case today:
FSSO Agent on Windows AD and Poll Active Directory Server. But, I don't see "built-in FSSO poller (AD Connector)" as such. Also, it's not clear what FSSO Collector agent refers to here... We have installed DC Agents on the DCs and the approach seems to be working....
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.