Use Active Directory objects directly in policies

Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies.

FortiGate administrators can define how often group information is updated from AD LDAP servers.

To retrieve and use AD user groups in policies:
  1. Set the FSSO Collector Agent AD access mode

  2. Add an LDAP server

  3. Create the FSSO collector that updates the AD user groups list

  4. Use the AD user groups in a policy

Set the FSSO Collector Agent AD access mode

To use this feature, you must set FSSO Collector Agent to Advanced AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships.

Add an LDAP server

To add an LDAP server in the GUI:
  1. Go to User & Authentication > LDAP Servers.

  2. Click Create New.

  3. Configure the settings as needed.

  4. If secure communication over TLS is supported by the remote AD LDAP server:

    1. Enable Secure Connection .

    2. Select the protocol.

    3. Select the certificate from the CA that issued the AD LDAP server certificate.

      If the protocol is LDAPS, the port will automatically change to 636.