Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mes-Lili2
New Contributor III

Created on ‎09-28-2023 02:13 AM

Add AD users to firewall policy

Is this possible... the only information I can find states "user groups".

I have this part working by using FSSO for users and groups but cannot find a way of adding a policy for 1 user unless i create a new AD group on my domain and add that group to the policy.

 

 

Labels:
1507
0 Kudos
1 Solution
11 REPLIES 11
pbangari
Staff
Staff

Created on ‎09-28-2023 02:31 AM

Hi, 

See if below kb article helps you with this requirement:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-FortiGate-to-use-an-LDAP-...

1303
Mes-Lili2
New Contributor III
In response to pbangari

Created on ‎09-28-2023 03:54 AM

Nice document but not much help here as that is for user authentication. many thanks..

1283
0 Kudos
xshkurti
Staff
Staff

Created on ‎09-28-2023 06:05 AM

@Mes-Lili2 

I assume this is what you are looking for:
Technical Tip : How to allow traffic from specific... - Fortinet Community

1459
Mes-Lili2
New Contributor III
In response to xshkurti

Created on ‎09-28-2023 09:52 AM

thanks for that, i did try that yesterday but failed so will try to see why.

1263
0 Kudos
Mes-Lili2
New Contributor III
In response to xshkurti

Created on ‎10-02-2023 05:15 AM

I am going to accept https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-traffic-from-specific-LDAP-us... as the solution as it did answer my question... however...   by adding a user account from local ldap groups causes the FSSO agent to search for that user and only displays the first find. not much use as will be an issue for users connecting from multiple devices or VPN so going to stick to FSSO doing groups and now see multiple entries for myself and will just need to create a new AD group for individual requirements. 

1178
0 Kudos
dbu
Staff
Staff

Created on ‎09-28-2023 10:16 AM Edited on ‎09-28-2023 10:21 AM

Hi @Mes-Lili2 ,

In addition run the following debug and try to reproduce the issue so we can find more why it is failing :

 

diag debug console timestamp enable

diag debug app fnbamd -1

diag debug enable

 

Further troubleshooting: 
Troubleshooting Tip: Fortigate LDAP - Fortinet Community

 

Regards!

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1260
Mes-Lili2
New Contributor III
In response to dbu

Created on ‎09-29-2023 03:42 AM

I am unable to test properly as the fsso agent is getting my name to ip adress as firstname(space)lastname but forti LDAP is showing me as firstname(.)lastname so not matching.

1246
0 Kudos
Mes-Lili2
New Contributor III
In response to Mes-Lili2

Created on ‎09-29-2023 04:15 AM

ok username from fsso is same as ldap but still not working, nothing shows in the cli when a web site connection is attempted

1238
0 Kudos
Mes-Lili2
New Contributor III
In response to Mes-Lili2

Created on ‎09-29-2023 06:06 AM

also...

when i configure FSSO agent with user group source "Collector Agent" all of my users are populated and the policy works. but if i use the same setting for FSSO agent and select an ldap server and some groups/users I get this.

fortilist.jpg
1228
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.