After Active Directory (AD) groups are retrieved from Active Directory, you can use them in identity-based firewall policies. You no longer need to add remote AD groups to local FSSO groups before using them in firewall policies.
The FortiGate administrator can define how often group information is automatically updated, which allows FortiGate to retrieve the latest information when groups are added or deleted on AD LDAP servers.
For this feature to work, you must set FSSO Collector Agent to Advanced AD access mode, which is not the default setting for FSSO Collector Agent. If FSSO Collector Agent is running in default standard mode, FortiGate cannot correctly match group membership of users. Following is an example of the setting:
- Create an FSSO connector that automatically retrieves and updates AD user groups.
- Go to User & Device > LDAP Servers, and click Create New.
- Set the options, and click OK.
In this example, a basic LDAP connection over port 389 is configured. If you want to secure the communication over TLS, you must ensure that it is supported by the remote AD LDAP server. Then activate Secure connection, and select the certificate of the Certificate Authority (CA) that issued the AD LDAP server certificate. The value for the port will automatically change to 636, which is the default LDAPS port.
- Create a Fortinet Single Sign-On Agent:
- Go to Security Fabric > Fabric Connectors, and click Create New.
- Under SSO/Identity, click Fortinet Single Sign-On Agent.
- Click Local to display the needed options.
When Collector Agent is selected, the needed options are hidden.
- In the Primary FSSO Agent box, enter the IP address for the FSSO Collector Agent and the correct password for communicating with FSSO Collector Agent.
- In the LDAP Server list, select AD-ldap server.
- Complete the Search Filter option.
The default setting in the Search Filter box retrieves all groups, which also includes default Microsoft system groups. You'll likely want to customize the search filter.
In this example, the customized Search Filter option is
(&(objectClass=group)(cn=group*)), which is configured to retrieve groups group1, group2...., but not grp199. Ensure syntax for customized Search Filter options is correct because syntax is not checked for LDAP search filters. If the syntax is incorrect, FortiGate won't retrieve any groups.
- Set the Interval (minutes) option.
The Interval (minutes) option defines how often FortiGate contacts the remote AD LDAP server to update group information. You can change this option to a more frequent update interval.
- Click OK.
config user fsso
set server "10.1.100.131"
set password XXXXXXXXXXXXXX
set ldap-server "AD-ldap"
set ldap-poll enable
set ldap-poll-interval 2
set ldap-poll-filter "(&(objectClass=group)(cn=group*))"