Fortinet black logo

Administration Guide

Tracking users in each Active Directory LDAP group

Tracking users in each Active Directory LDAP group

When LDAP users log on through firewall authentication, the active users per Active Directory LDAP group is counted and displayed in the Firewall Users widget and the CLI.

Example

The Active Directory LDAP server, FORTINET-FSSO.com, is configured with two groups that contain two users each: group1 consists of users test1 and test3; group2 consists of users test2 and test4.

To configure AD LDAP user groups in the GUI:
  1. Configure the Active Directory LDAP server, FORTINET-FSSO:
    1. Go to User & Authentication > LDAP Servers and click Create New.
    2. Enter the following:

      Name

      FORTINET-FSSO

      Server IP/Name

      10.1.100.131

      Distinguished Name

      dc=FORTINET-FSSO,dc=com

      Bind Type

      Regular

      Username

      cn=administrator,cn=users,dc=FORTINET-FSSO,dc=com

      Password

      Enter the password.

    3. Click OK.
  2. Configure the LDAP user groups:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter the name, ldap1.
    3. In the Remote Groups table, click Add. The Add Group Match pane opens.
    4. For Remote Server, select FORTINET-FSSO.
    5. In the search box, enter group1, and select the result in the table.
    6. Click OK.

    7. Repeat these steps to configure ldap2 with the FORTINET-FSSO group2.
    8. Click OK.
  3. Configure a firewall policy with both LDAP groups:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select ldap1 and ldap2.
    3. Configure the other settings as needed.
    4. Click OK.
  4. Get users test1 and test2 to log in.
  5. In FortiOS, go to Dashboard > Users & Devices and click the Firewall Users widget to expand to full screen view.

    Hover over a group in the User Group donut chart to view how many users are logged on from that group, and the number of users as a percentage of all logged on users. The chart shows that two users are logged in.

  6. Get users test3 and test4 to log in, and refresh the Firewall Users widget. Each LDAP group has two users logged in, with a total of four active users.

  7. Get user test2 to log out, and refresh the Firewall Users widget. There is a total of three active users, and the ldap2 group only has one user that is logged in.

To verify the user group count in the CLI:
# diagnose user-device-store user-count list <integer>
# diagnose user-device-store user-count query <FQDN of AD group>

Tracking users in each Active Directory LDAP group

When LDAP users log on through firewall authentication, the active users per Active Directory LDAP group is counted and displayed in the Firewall Users widget and the CLI.

Example

The Active Directory LDAP server, FORTINET-FSSO.com, is configured with two groups that contain two users each: group1 consists of users test1 and test3; group2 consists of users test2 and test4.

To configure AD LDAP user groups in the GUI:
  1. Configure the Active Directory LDAP server, FORTINET-FSSO:
    1. Go to User & Authentication > LDAP Servers and click Create New.
    2. Enter the following:

      Name

      FORTINET-FSSO

      Server IP/Name

      10.1.100.131

      Distinguished Name

      dc=FORTINET-FSSO,dc=com

      Bind Type

      Regular

      Username

      cn=administrator,cn=users,dc=FORTINET-FSSO,dc=com

      Password

      Enter the password.

    3. Click OK.
  2. Configure the LDAP user groups:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter the name, ldap1.
    3. In the Remote Groups table, click Add. The Add Group Match pane opens.
    4. For Remote Server, select FORTINET-FSSO.
    5. In the search box, enter group1, and select the result in the table.
    6. Click OK.

    7. Repeat these steps to configure ldap2 with the FORTINET-FSSO group2.
    8. Click OK.
  3. Configure a firewall policy with both LDAP groups:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select ldap1 and ldap2.
    3. Configure the other settings as needed.
    4. Click OK.
  4. Get users test1 and test2 to log in.
  5. In FortiOS, go to Dashboard > Users & Devices and click the Firewall Users widget to expand to full screen view.

    Hover over a group in the User Group donut chart to view how many users are logged on from that group, and the number of users as a percentage of all logged on users. The chart shows that two users are logged in.

  6. Get users test3 and test4 to log in, and refresh the Firewall Users widget. Each LDAP group has two users logged in, with a total of four active users.

  7. Get user test2 to log out, and refresh the Firewall Users widget. There is a total of three active users, and the ldap2 group only has one user that is logged in.

To verify the user group count in the CLI:
# diagnose user-device-store user-count list <integer>
# diagnose user-device-store user-count query <FQDN of AD group>