We upgraded our FortiOS to 7.27 in end Feb and since middle of March, we have users reporting intermittent issues with Internet connection.

Checking the traffic logs shows that their authentication with AD seems to be failing. 

Hi,

It shows 20 group selected but does not show the name of the group even though there is a green tick mark which indicates the selected group. Can you check if you are seeing the correct configuration in CLI?

#config user group

#show

Regards,

Shiva

i can see the initial group of 18 in the CLI, which is not showing in the GUI.

we added 2 for testing yesterday which we can see in the GUI.

is this related to FSSO agent in our AD?

Hi,

- May be reconfiguring the group should solve the issue in which you are not seeing the groups in GUI. It could be a GUI issue as we can see the configuration in CLI.

- As per my understanding your main issue here is related to internet communication. You mentioned that the communication to AD is failing. Does the firewall has the IP-User group mapping for the IP which does not work. You can run the command "diag firewall auth list" to see the mapping.

- Does the FSSO agent has the log on event and information related IP and user group?

Regards,

Shiva

have tried re-adding 3 groups to the list. 

first 3 in the attachment is from original list, the next 2 is what we have just added.

the firewall do have the ip-user group. 

when user have Internet issue, we noticed that the uesrname if missing from the traffic logs.

The  ID and Name fields under the Selected LDAP filter are blank because your adgrp names are not in a valid LDAP DN format.

For example, "**** FULL ACCESS TELECON" or "****RL NO ACCESS" are not valid LDAP DNs, therefore the ID and Name can't be resolved over LDAP and the fields remain blank.

This most likely happened because you at some point decided to switch FSSO User group source from "Collector Agent" to "Local". This used to be called Standard or Advanced mode on FortiOS 5.6 and older.

Since your FSSO Collector Agent is still switched to "Standard mode", you should configure the FSSO Fabric Connector to use "Collector Agent" as the User group source again. The group filters will then be configured on your FSSO Collector agent as in the past.

You can also read the below KB, which explains it in more detail:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-switch-FSSO-operation-mode-from-Sta...

yes, the user group souce is now set to Local in GUI.

I don't see this setting in the CLI.

is this only available in GUI ??

Enabling the "local" option in the GUI just allows you to use the GUI LDAP browser to easily create entries under "config user adgrp". You can create these entries manually in the CLI regardless of the GUI settings.

The main problem in your case is that your FSSO Collector is set to "Standard" mode,  which uses group names in format "DOMAIN\GROUP". While your Fortigate is configured in the Advanced mode, which uses group names in format "CN=group,DC=domain".