Fortinet white logo
Fortinet white logo

Administration Guide

Use Active Directory objects directly in policies

Use Active Directory objects directly in policies

Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies.

FortiGate administrators can define how often group information is updated from AD LDAP servers.

To retrieve and use AD user groups in policies:
  1. Set the FSSO Collector Agent AD access mode

  2. Add an LDAP server

  3. Create the FSSO collector that updates the AD user groups list

  4. Use the AD user groups in a policy

Set the FSSO Collector Agent AD access mode

To use this feature, you must set FSSO Collector Agent to Advanced AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships.

Add an LDAP server

To add an LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the settings as needed.

  4. If secure communication over TLS is supported by the remote AD LDAP server:

    1. Enable Secure Connection .

    2. Select the protocol.

    3. Select the certificate from the CA that issued the AD LDAP server certificate.

      If the protocol is LDAPS, the port will automatically change to 636.

  5. Click OK.

To add an LDAP server in the CLI:
config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password XXXXXXXXXXXXXXXXXXXXXXXX               
    next
end

Create the FSSO collector that updates the AD user groups list

To create an FSSO agent connector in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Endpoint/Identity section, click FSSO Agent on Windows AD.

  4. Fill in the Name

  5. Set the Primary FSSO Agent to the IP address of the FSSO Collector Agent, and enter its password.

  6. Set the User Group Source to Local.

  7. Set the LDAP Server to the just created AD-ldap server.

  8. Enable Proactively Retrieve from LDAP Server.

  9. Set the Search Filter to (&(objectClass=group)(cn=group*)).

    The default search filter retrieves all groups, including Microsoft system groups. In this example, the filter is configured to retrieve group1, group2, etc, and not groups like grp199.

    The filter syntax is not automatically checked; if it is incorrect, the FortiGate might not retrieve any groups.

  10. Set the Interval (minutes) to configure how often the FortiGate contacts the remote AD LDAP server to update the group information.

  11. Click OK.

  12. To view the AD user groups that are retrieved by the FSSO agent, hover the cursor over the group icon on the fabric connector listing.

To create an FSSO agent connector in the CLI:
config user fsso
    edit "ad-advanced"
        set server "10.1.100.131"
        set password XXXXXXXXXXXXXX
        set ldap-server "AD-ldap"
        set ldap-poll enable
        set ldap-poll-interval 2
        set ldap-poll-filter "(&(objectClass=group)(cn=group*))"
    next
end

You can view the retrieved AD user groups with the show user adgrp command.

Use the AD user groups in a policy

The AD user groups retrieved by the FortiGate can be used directly in firewall policies.

Use Active Directory objects directly in policies

Use Active Directory objects directly in policies

Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies.

FortiGate administrators can define how often group information is updated from AD LDAP servers.

To retrieve and use AD user groups in policies:
  1. Set the FSSO Collector Agent AD access mode

  2. Add an LDAP server

  3. Create the FSSO collector that updates the AD user groups list

  4. Use the AD user groups in a policy

Set the FSSO Collector Agent AD access mode

To use this feature, you must set FSSO Collector Agent to Advanced AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships.

Add an LDAP server

To add an LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the settings as needed.

  4. If secure communication over TLS is supported by the remote AD LDAP server:

    1. Enable Secure Connection .

    2. Select the protocol.

    3. Select the certificate from the CA that issued the AD LDAP server certificate.

      If the protocol is LDAPS, the port will automatically change to 636.

  5. Click OK.

To add an LDAP server in the CLI:
config user ldap
    edit "AD-ldap"
        set server "10.1.100.131"
        set cnid "cn"
        set dn "dc=fortinet-fsso,dc=com"
        set type regular
        set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com"
        set password XXXXXXXXXXXXXXXXXXXXXXXX               
    next
end

Create the FSSO collector that updates the AD user groups list

To create an FSSO agent connector in the GUI:
  1. Go to Security Fabric > External Connectors.

  2. Click Create New.

  3. In the Endpoint/Identity section, click FSSO Agent on Windows AD.

  4. Fill in the Name

  5. Set the Primary FSSO Agent to the IP address of the FSSO Collector Agent, and enter its password.

  6. Set the User Group Source to Local.

  7. Set the LDAP Server to the just created AD-ldap server.

  8. Enable Proactively Retrieve from LDAP Server.

  9. Set the Search Filter to (&(objectClass=group)(cn=group*)).

    The default search filter retrieves all groups, including Microsoft system groups. In this example, the filter is configured to retrieve group1, group2, etc, and not groups like grp199.

    The filter syntax is not automatically checked; if it is incorrect, the FortiGate might not retrieve any groups.

  10. Set the Interval (minutes) to configure how often the FortiGate contacts the remote AD LDAP server to update the group information.

  11. Click OK.

  12. To view the AD user groups that are retrieved by the FSSO agent, hover the cursor over the group icon on the fabric connector listing.

To create an FSSO agent connector in the CLI:
config user fsso
    edit "ad-advanced"
        set server "10.1.100.131"
        set password XXXXXXXXXXXXXX
        set ldap-server "AD-ldap"
        set ldap-poll enable
        set ldap-poll-interval 2
        set ldap-poll-filter "(&(objectClass=group)(cn=group*))"
    next
end

You can view the retrieved AD user groups with the show user adgrp command.

Use the AD user groups in a policy

The AD user groups retrieved by the FortiGate can be used directly in firewall policies.