Administration Guide

Introduction
- FortiClient, FortiClient EMS, and FortiGate
- Fortinet product support for FortiClient
- Feature comparison of FortiClient standalone and licensed versions
- Endpoint communication security improvement
  - Recommended upgrade path
Getting started
- Getting started with FortiClient
- EMS and endpoint profiles
- Telemetry connection options
- EMS and automatic upgrade of FortiClient
Provisioning preparation
- Installation requirements
- Licensing
- Required services and ports
- Firmware images and tools
- Obtaining FortiClient installation files
Provisioning
- Manually installing FortiClient on computers
- Centralized FortiClient deployment
  - FortiClient EMS
  - Deploying FortiClient using Microsoft AD servers
    - Deploying FortiClient with Microsoft AD
    - Uninstalling FortiClient with Microsoft AD
- Uninstalling FortiClient
- Upgrading FortiClient
- Verifying ports and services and connection between EMS and FortiClient
User details
- Viewing user details
- Retrieving user details from cloud applications
- Adding your phone number and email address manually
- Specifying the user avatar manually
- User Profile notification
Zero Trust Telemetry
- FortiClient Telemetry
- Compliance with EMS and FortiOS
- On-/off-fabric status with EMS
  - Logging to FortiAnalyzer
- Quarantined endpoints
Remote Access
- Configuring VPN connections
  - Configuring an SSL VPN connection
  - Configuring an IPsec VPN connection
- Connecting VPNs
- SAML support for SSL VPN
- Advanced features (Windows)
- Advanced features (macOS)
  - Creating redundant IPsec VPNs
  - Creating priority-based SSL VPN connections
- VPN tunnel and script
  - Windows
  - macOS
- Internal resource lookup with IPv6 enabled on NIC interface
- Standalone VPN client
ZTNA Destination
Malware Protection
- Antivirus
- Cloud Based Malware Protection
- AntiExploit
  - Viewing detected exploit attempts
  - Evaluating the anti-exploit detection feature
- Removable media access
- Antiransomware
- Quarantined files
  - Viewing quarantined files
  - Submitting quarantined files for scanning
Sandbox Detection
- Scanning with FortiSandbox on-demand
- Viewing FortiSandbox scan results
- Using the popup window
Web & Video Filter
- Web browser plugin for HTTPS web filtering
- Viewing violations
- Troubleshooting Web Filter
Application Firewall
Vulnerability Scan
- Scanning on-demand
- Automatically fixing detected vulnerabilities
- Reviewing detected vulnerabilities before fixing
- Manually fixing detected vulnerabilities
- Viewing details about vulnerabilities
- Viewing vulnerability scan history
Notifications
Settings
- System
- Logging
  - Sending logs and Windows host events to FortiAnalyzer or FortiManager
  - Exporting the log file
- VPN options
- Advanced options
- FortiTray
Diagnostic Tool
Forensic analysis
Appendix A - API
- Overview
- API reference
Appendix B - Vulnerability patches
Appendix C - Processes
- FortiClient (Windows) processes
- FortiClient (macOS) processes
Appendix D - CLI commands
- FortiClient (Windows) CLI commands
- FortiClient (macOS) CLI commands
- FortiClient (Linux) CLI commands
Appendix E - VPN autoconnect
- Configuring autoconnect with username and password authentication
- Configuring autoconnect with certificate authentication
Appendix F - SSL VPN prelogon
- SSL VPN prelogon using AD machine certificate
- FortiGate authentication configuration
- FortiGate SSL VPN configuration
- Enabling VPN prelogon in EMS
- Enabling automatic VPN prelogon in EMS
  - Configuring VPN to automatically connect before logon
  - Verifying and troubleshooting
- Troubleshooting the prelogon SSL VPN connection

Home FortiClient 7.2.3 Administration Guide

7.2.3

FortiGate cannot match right group

Assuming that LDAP lookup found the computer on the LDAP directory:

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

…

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Next it searches for the groups that this computer belongs to:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

Search returns multiple groups:

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

…

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

However, group matching fails:

[1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'PKI-LDAP-Machine'

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[903] fnbamd_cert_check_matched_groups-not matched

Verify group-name in the LDAP setting:

config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,DC=fortiad,DC=info"
            next
        end
    next
end

Since group-name is missing CN=Users, group matching failed.

FortiGate cannot match right group

Assuming that LDAP lookup found the computer on the LDAP directory:

[750] fnbamd_ldap_build_dn_search_req-base:'dc=fortiad,dc=info' filter:(&(userPrincipalName=WIN10-01.fortiad.info)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

…

[1226] __fnbamd_ldap_dn_entry-Get DN 'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info'

Next it searches for the groups that this computer belongs to:

[649] fnbamd_ldap_build_attr_search_req-Adding attr 'memberOf'

[661] fnbamd_ldap_build_attr_search_req-base:'CN=WIN10-01,CN=Computers,DC=fortiad,DC=info' filter:cn=*

Search returns multiple groups:

[532] __retrieve_group_values- attr='memberOf', found 1 values

[542] __retrieve_group_values-val[0]='CN=VPNComputers,CN=Users,DC=fortiad,DC=info'

…

[472] __get_one_group-group: CN=Domain Computers,CN=Users,DC=fortiad,DC=info

However, group matching fails:

[1074] fnbamd_cert_auth_copy_cert_status-Matched peer user 'PKI-LDAP-Machine'

[833] fnbamd_cert_check_matched_groups-checking group with name 'PKI-Machine-Group'

[903] fnbamd_cert_check_matched_groups-not matched

Verify group-name in the LDAP setting:

config user group
    edit "PKI-Machine-Group"
        set member "LDAP-fortiad-Machine" "PKI-LDAP-Machine"
        config match
            edit 1
                set server-name "LDAP-fortiad-Machine"
                set group-name "CN=VPNComputers,DC=fortiad,DC=info"
            next
        end
    next
end

Since group-name is missing CN=Users, group matching failed.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

FortiGate cannot match right group

FortiGate cannot match right group

FortiGate cannot match right group

FortiGate cannot match right group