Use active directory objects directly in policies
Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies.
FortiGate administrators can define how often group information is updated from AD LDAP servers.
To retrieve and use AD user groups in policies:
- Set the FSSO Collector Agent AD access mode
- Add an LDAP server
- Create the FSSO collector that updates the AD user groups list
- Use the AD user groups in a policy
Set the FSSO Collector Agent AD access mode
To use this feature, you must set FSSO Collector Agent to Advanced AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships.
Add an LDAP server
To add an LDAP server in the GUI:
- Go to User & Authentication > LDAP Servers.
- Click Create New.
- Configure the settings as needed.
- If secure communication over TLS is supported by the remote AD LDAP server:
- Enable Secure Connection .
- Select the protocol.
- Select the certificate from the CA that issued the AD LDAP server certificate.
If the protocol is LDAPS, the port will automatically change to 636.
- Click OK.
To add an LDAP server in the CLI:
config user ldap edit "AD-ldap" set server "10.1.100.131" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password XXXXXXXXXXXXXXXXXXXXXXXX next end
Create the FSSO collector that updates the AD user groups list
To create an FSSO agent connector in the GUI:
- Go to Security Fabric > External Connectors.
- Click Create New.
- In the Endpoint/Identity section, click Fortinet Single Sign-On Agent.
- Fill in the Name
- Set the Primary FSSO Agent to the IP address of the FSSO Collector Agent, and enter its password.
- Set the User Group Source to Local.
- Set the LDAP Server to the just created AD-ldap server.
- Enable Proactively Retrieve from LDAP Server.
- Set the Search Filter to (&(objectClass=group)(cn=group*)).
The default search filter retrieves all groups, including Microsoft system groups. In this example, the filter is configured to retrieve group1, group2, etc, and not groups like grp199.
The filter syntax is not automatically checked; if it is incorrect, the FortiGate might not retrieve any groups.
- Set the Interval (minutes) to configure how often the FortiGate contacts the remote AD LDAP server to update the group information.
- Click OK.
- To view the AD user groups that are retrieved by the FSSO agent, hover the cursor over the group icon on the fabric connector listing.
To create an FSSO agent connector in the CLI:
config user fsso edit "ad-advanced" set server "10.1.100.131" set password XXXXXXXXXXXXXX set ldap-server "AD-ldap" set ldap-poll enable set ldap-poll-interval 2 set ldap-poll-filter "(&(objectClass=group)(cn=group*))" next end
You view the retrieved AD user groups with the
show user adgrp command.
Use the AD user groups in a policy
The AD user groups retrieved by the FortiGate can be used directly in firewall policies.