Fortinet Document Library

Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Per-device mapping for LDAP and FSSO user groups 7.0.2

Per-device mapping has been added for Firewall and FSSO group types.

To use per-device mapping in Firewall and FFSO user groups:
  1. Go to Policy & Objects > Object Configurations >User & Authentication > User Groups.
  2. Create an FSSO, Firewall user, and Firewall LDAP remote server dynamic user groups to different FortiGate VDOMs (root and v1 in this example).
    • FSSO dynamic user group.
    • Firewall dynamic user group.
    • Firewall LDAP remote authentication server dynamic user group.
  3. Go to Policy & Objects > Policy Packages, and use the user groups in a new or existing policy.

  4. Install the policy to the two different FortiGate VDOMs.
    The copy log and installation log show that the dynamic mappings for user groups are installed to the different FortiGate VDOMs respectively.
    • Copy Log
      >>>>>FGVM01SYNTAX0013>>>>>>>>>>>>>>>>>>>>>>>>>>>
      config vdom
          edit root
              config user ldap
                  edit "taj-ldap-server"
                      set server "10.2.78.8"
                      set cnid "cn"
                      set dn "dc=fssotest,dc=com"
                      set type regular
                      set username "cn=administrator,cn=users,dc=fssotest,dc=com"
                      set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2
                  next
              end
              config user local
                  edit "guest"
                      set type password
                      set passwd ENC Z8Zpc/bwU2j1HxCFWzO/XkWz1iNBDsh5b97WAaOc878PeL/elqx7TGytfdtUQRfwtzxmM/u3O09SixVeQ5b325brkt7Zmd4nlu1m17oIqaTLJYHUUtgURVHU4D8BONVV2bh+WbXaWcVyU5CwLaIQ3EbwOdPuhJjStZLpJYeW4sFljHnH
                  next
              end
              config user group
                  edit "dynaFSSO"
                      set group-type fsso-service
                      set member "FSSOTEST/ADMINISTRATORS"
                  next
                  edit "dynaLDAP"
                      set member "taj-ldap-server"
                      config match
                          edit 1
                              set server-name "taj-ldap-server"
                              set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com"
                          next
                      end
                  next
                  edit "dynaUser"
                      set member "guest"
                  next
              end
              config firewall policy
                  edit 1
                      unset groups
                      set groups "dynaFSSO" "dynaLDAP" "dynaUser"
                  next
              end
          next
          edit v1
              config user ldap
                  edit "taj-ldap-server"
                      set server "10.2.78.8"
                      set cnid "cn"
                      set dn "dc=fssotest,dc=com"
                      set type regular
                      set username "cn=administrator,cn=users,dc=fssotest,dc=com"
                      set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2
                  next
              end
              config user local
                  edit "taj-local-user"
                      set type password
                      set two-factor sms
                      set sms-phone "13333333"
                      set passwd ENC Z8Zpc/bwU2j1HxCFgvSKuX7rw3RdHEDq+jYKXUC2d4iY6HcNL4G3Q/FvS+3nbU0LaifZNMFfwuDuzMjOipkcYVOZWmpLT7r0fdMMEhkOdznooELXW85UNGzeQVsMc+PzAFnZM/szwaPWWToS6YRXVgguUF0b5FIk/070eHkl8CArGC5s
                  next
              end
              config user group
                  edit "dynaFSSO"
                      set group-type fsso-service
                      set member "FSSOTEST/BACKUP OPERATORS"
                  next
                  edit "dynaLDAP"
                      set member "taj-ldap-server"
                      config match
                          edit 1
                              set server-name "taj-ldap-server"
                              set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com"
                          next
                      end
                  next
                  edit "dynaUser"
                      set member "taj-local-user"
                  next
              end
              config firewall policy
                  edit 1
                      unset groups
                      set groups "dynaFSSO" "dynaLDAP" "dynaUser"
                  next
              end
          end
    • Install Log
      Starting log (Run on device)
      
      
      Start installing
      FGVM01SYNTAX0013 $  config vdom
      FGVM01SYNTAX0013 (vdom) $  edit root
      current vf=root:0
      FGVM01SYNTAX0013 (root) $  config user ldap
      FGVM01SYNTAX0013 (ldap) $  edit "taj-ldap-server"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set server "10.2.78.8"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set cnid "cn"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set dn "dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set type regular
      FGVM01SYNTAX0013 (taj-ldap-server) $  set username "cn=administrator,cn=users,dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set password **********
      FGVM01SYNTAX0013 (taj-ldap-server) $  next
      FGVM01SYNTAX0013 (ldap) $  end
      FGVM01SYNTAX0013 (root) $  config user local
      FGVM01SYNTAX0013 (local) $  edit "guest"
      FGVM01SYNTAX0013 (guest) $  set type password
      FGVM01SYNTAX0013 (guest) $  set passwd ************************************************************************************************************************************************************************************************************
      FGVM01SYNTAX0013 (guest) $  next
      FGVM01SYNTAX0013 (local) $  end
      FGVM01SYNTAX0013 (root) $  config user group
      FGVM01SYNTAX0013 (group) $  edit "dynaFSSO"
      FGVM01SYNTAX0013 (dynaFSSO) $  set group-type fsso-service
      FGVM01SYNTAX0013 (dynaFSSO) $  set member "FSSOTEST/ADMINISTRATORS"
      FGVM01SYNTAX0013 (dynaFSSO) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaLDAP"
      FGVM01SYNTAX0013 (dynaLDAP) $  set member "taj-ldap-server"
      FGVM01SYNTAX0013 (dynaLDAP) $  config match
      FGVM01SYNTAX0013 (match) $  edit 1
      FGVM01SYNTAX0013 (1) $  set server-name "taj-ldap-server"
      FGVM01SYNTAX0013 (1) $  set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (match) $  end
      FGVM01SYNTAX0013 (dynaLDAP) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaUser"
      FGVM01SYNTAX0013 (dynaUser) $  set member "guest"
      FGVM01SYNTAX0013 (dynaUser) $  next
      FGVM01SYNTAX0013 (group) $  end
      FGVM01SYNTAX0013 (root) $  config firewall policy
      FGVM01SYNTAX0013 (policy) $  edit 1
      FGVM01SYNTAX0013 (1) $  unset groups
      FGVM01SYNTAX0013 (1) $  set groups "dynaFSSO" "dynaLDAP" "dynaUser"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (policy) $  end
      FGVM01SYNTAX0013 (root) $  next
      FGVM01SYNTAX0013 (vdom) $  edit v1
      current vf=v1:1
      FGVM01SYNTAX0013 (v1) $  config user ldap
      FGVM01SYNTAX0013 (ldap) $  edit "taj-ldap-server"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set server "10.2.78.8"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set cnid "cn"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set dn "dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set type regular
      FGVM01SYNTAX0013 (taj-ldap-server) $  set username "cn=administrator,cn=users,dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set password **********
      FGVM01SYNTAX0013 (taj-ldap-server) $  next
      FGVM01SYNTAX0013 (ldap) $  end
      FGVM01SYNTAX0013 (v1) $  config user local
      FGVM01SYNTAX0013 (local) $  edit "taj-local-user"
      FGVM01SYNTAX0013 (taj-local-user) $  set type password
      FGVM01SYNTAX0013 (taj-local-user) $  set two-factor sms
      FGVM01SYNTAX0013 (taj-local-user) $  set sms-phone "13333333"
      FGVM01SYNTAX0013 (taj-local-user) $  set passwd *********
      FGVM01SYNTAX0013 (taj-local-user) $  next
      FGVM01SYNTAX0013 (local) $  end
      FGVM01SYNTAX0013 (v1) $  config user group
      FGVM01SYNTAX0013 (group) $  edit "dynaFSSO"
      FGVM01SYNTAX0013 (dynaFSSO) $  set group-type fsso-service
      FGVM01SYNTAX0013 (dynaFSSO) $  set member "FSSOTEST/BACKUP OPERATORS"
      FGVM01SYNTAX0013 (dynaFSSO) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaLDAP"
      FGVM01SYNTAX0013 (dynaLDAP) $  set member "taj-ldap-server"
      FGVM01SYNTAX0013 (dynaLDAP) $  config match
      FGVM01SYNTAX0013 (match) $  edit 1
      FGVM01SYNTAX0013 (1) $  set server-name "taj-ldap-server"
      FGVM01SYNTAX0013 (1) $  set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (match) $  end
      FGVM01SYNTAX0013 (dynaLDAP) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaUser"
      FGVM01SYNTAX0013 (dynaUser) $  set member "taj-local-user"
      FGVM01SYNTAX0013 (dynaUser) $  next
      FGVM01SYNTAX0013 (group) $  end
      FGVM01SYNTAX0013 (v1) $  config firewall policy
      FGVM01SYNTAX0013 (policy) $  edit 1
      FGVM01SYNTAX0013 (1) $  unset groups
      FGVM01SYNTAX0013 (1) $  set groups "dynaFSSO" "dynaLDAP" "dynaUser"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (policy) $  end
      FGVM01SYNTAX0013 (v1) $  end
      
      
      ---> generating verification report
      <--- done generating verification report
  5. After the install is finished, the FortiGate VDOMs get the correct user groups.
    • Root VDOM

    • v1 VDOM

Per-device mapping for LDAP and FSSO user groups 7.0.2

Per-device mapping has been added for Firewall and FSSO group types.

To use per-device mapping in Firewall and FFSO user groups:
  1. Go to Policy & Objects > Object Configurations >User & Authentication > User Groups.
  2. Create an FSSO, Firewall user, and Firewall LDAP remote server dynamic user groups to different FortiGate VDOMs (root and v1 in this example).
    • FSSO dynamic user group.
    • Firewall dynamic user group.
    • Firewall LDAP remote authentication server dynamic user group.
  3. Go to Policy & Objects > Policy Packages, and use the user groups in a new or existing policy.

  4. Install the policy to the two different FortiGate VDOMs.
    The copy log and installation log show that the dynamic mappings for user groups are installed to the different FortiGate VDOMs respectively.
    • Copy Log
      >>>>>FGVM01SYNTAX0013>>>>>>>>>>>>>>>>>>>>>>>>>>>
      config vdom
          edit root
              config user ldap
                  edit "taj-ldap-server"
                      set server "10.2.78.8"
                      set cnid "cn"
                      set dn "dc=fssotest,dc=com"
                      set type regular
                      set username "cn=administrator,cn=users,dc=fssotest,dc=com"
                      set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2
                  next
              end
              config user local
                  edit "guest"
                      set type password
                      set passwd ENC Z8Zpc/bwU2j1HxCFWzO/XkWz1iNBDsh5b97WAaOc878PeL/elqx7TGytfdtUQRfwtzxmM/u3O09SixVeQ5b325brkt7Zmd4nlu1m17oIqaTLJYHUUtgURVHU4D8BONVV2bh+WbXaWcVyU5CwLaIQ3EbwOdPuhJjStZLpJYeW4sFljHnH
                  next
              end
              config user group
                  edit "dynaFSSO"
                      set group-type fsso-service
                      set member "FSSOTEST/ADMINISTRATORS"
                  next
                  edit "dynaLDAP"
                      set member "taj-ldap-server"
                      config match
                          edit 1
                              set server-name "taj-ldap-server"
                              set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com"
                          next
                      end
                  next
                  edit "dynaUser"
                      set member "guest"
                  next
              end
              config firewall policy
                  edit 1
                      unset groups
                      set groups "dynaFSSO" "dynaLDAP" "dynaUser"
                  next
              end
          next
          edit v1
              config user ldap
                  edit "taj-ldap-server"
                      set server "10.2.78.8"
                      set cnid "cn"
                      set dn "dc=fssotest,dc=com"
                      set type regular
                      set username "cn=administrator,cn=users,dc=fssotest,dc=com"
                      set password ENC Z8Zpc/bwU2j1HxCFsp0zLVsmpXEWQQvc6JVoYq8gt3RKcH0GzuPHQAo4U0l/tm1eYnZMKjWCX/cNxSUWvk/Pp83EjgGWe4Yf5H4VtPLEeCadn6Q8PJZpITqMLtBJUry6CETGGrnY0gfHZINWaIya9QDGbOZ3BOBKw1sj9Wf6CHNSUfQ2
                  next
              end
              config user local
                  edit "taj-local-user"
                      set type password
                      set two-factor sms
                      set sms-phone "13333333"
                      set passwd ENC Z8Zpc/bwU2j1HxCFgvSKuX7rw3RdHEDq+jYKXUC2d4iY6HcNL4G3Q/FvS+3nbU0LaifZNMFfwuDuzMjOipkcYVOZWmpLT7r0fdMMEhkOdznooELXW85UNGzeQVsMc+PzAFnZM/szwaPWWToS6YRXVgguUF0b5FIk/070eHkl8CArGC5s
                  next
              end
              config user group
                  edit "dynaFSSO"
                      set group-type fsso-service
                      set member "FSSOTEST/BACKUP OPERATORS"
                  next
                  edit "dynaLDAP"
                      set member "taj-ldap-server"
                      config match
                          edit 1
                              set server-name "taj-ldap-server"
                              set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com"
                          next
                      end
                  next
                  edit "dynaUser"
                      set member "taj-local-user"
                  next
              end
              config firewall policy
                  edit 1
                      unset groups
                      set groups "dynaFSSO" "dynaLDAP" "dynaUser"
                  next
              end
          end
    • Install Log
      Starting log (Run on device)
      
      
      Start installing
      FGVM01SYNTAX0013 $  config vdom
      FGVM01SYNTAX0013 (vdom) $  edit root
      current vf=root:0
      FGVM01SYNTAX0013 (root) $  config user ldap
      FGVM01SYNTAX0013 (ldap) $  edit "taj-ldap-server"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set server "10.2.78.8"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set cnid "cn"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set dn "dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set type regular
      FGVM01SYNTAX0013 (taj-ldap-server) $  set username "cn=administrator,cn=users,dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set password **********
      FGVM01SYNTAX0013 (taj-ldap-server) $  next
      FGVM01SYNTAX0013 (ldap) $  end
      FGVM01SYNTAX0013 (root) $  config user local
      FGVM01SYNTAX0013 (local) $  edit "guest"
      FGVM01SYNTAX0013 (guest) $  set type password
      FGVM01SYNTAX0013 (guest) $  set passwd ************************************************************************************************************************************************************************************************************
      FGVM01SYNTAX0013 (guest) $  next
      FGVM01SYNTAX0013 (local) $  end
      FGVM01SYNTAX0013 (root) $  config user group
      FGVM01SYNTAX0013 (group) $  edit "dynaFSSO"
      FGVM01SYNTAX0013 (dynaFSSO) $  set group-type fsso-service
      FGVM01SYNTAX0013 (dynaFSSO) $  set member "FSSOTEST/ADMINISTRATORS"
      FGVM01SYNTAX0013 (dynaFSSO) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaLDAP"
      FGVM01SYNTAX0013 (dynaLDAP) $  set member "taj-ldap-server"
      FGVM01SYNTAX0013 (dynaLDAP) $  config match
      FGVM01SYNTAX0013 (match) $  edit 1
      FGVM01SYNTAX0013 (1) $  set server-name "taj-ldap-server"
      FGVM01SYNTAX0013 (1) $  set group-name "CN=Access Control Assistance Operators,CN=Builtin,DC=fssotest,DC=com"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (match) $  end
      FGVM01SYNTAX0013 (dynaLDAP) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaUser"
      FGVM01SYNTAX0013 (dynaUser) $  set member "guest"
      FGVM01SYNTAX0013 (dynaUser) $  next
      FGVM01SYNTAX0013 (group) $  end
      FGVM01SYNTAX0013 (root) $  config firewall policy
      FGVM01SYNTAX0013 (policy) $  edit 1
      FGVM01SYNTAX0013 (1) $  unset groups
      FGVM01SYNTAX0013 (1) $  set groups "dynaFSSO" "dynaLDAP" "dynaUser"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (policy) $  end
      FGVM01SYNTAX0013 (root) $  next
      FGVM01SYNTAX0013 (vdom) $  edit v1
      current vf=v1:1
      FGVM01SYNTAX0013 (v1) $  config user ldap
      FGVM01SYNTAX0013 (ldap) $  edit "taj-ldap-server"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set server "10.2.78.8"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set cnid "cn"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set dn "dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set type regular
      FGVM01SYNTAX0013 (taj-ldap-server) $  set username "cn=administrator,cn=users,dc=fssotest,dc=com"
      FGVM01SYNTAX0013 (taj-ldap-server) $  set password **********
      FGVM01SYNTAX0013 (taj-ldap-server) $  next
      FGVM01SYNTAX0013 (ldap) $  end
      FGVM01SYNTAX0013 (v1) $  config user local
      FGVM01SYNTAX0013 (local) $  edit "taj-local-user"
      FGVM01SYNTAX0013 (taj-local-user) $  set type password
      FGVM01SYNTAX0013 (taj-local-user) $  set two-factor sms
      FGVM01SYNTAX0013 (taj-local-user) $  set sms-phone "13333333"
      FGVM01SYNTAX0013 (taj-local-user) $  set passwd *********
      FGVM01SYNTAX0013 (taj-local-user) $  next
      FGVM01SYNTAX0013 (local) $  end
      FGVM01SYNTAX0013 (v1) $  config user group
      FGVM01SYNTAX0013 (group) $  edit "dynaFSSO"
      FGVM01SYNTAX0013 (dynaFSSO) $  set group-type fsso-service
      FGVM01SYNTAX0013 (dynaFSSO) $  set member "FSSOTEST/BACKUP OPERATORS"
      FGVM01SYNTAX0013 (dynaFSSO) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaLDAP"
      FGVM01SYNTAX0013 (dynaLDAP) $  set member "taj-ldap-server"
      FGVM01SYNTAX0013 (dynaLDAP) $  config match
      FGVM01SYNTAX0013 (match) $  edit 1
      FGVM01SYNTAX0013 (1) $  set server-name "taj-ldap-server"
      FGVM01SYNTAX0013 (1) $  set group-name "CN=Backup Operators,CN=Builtin,DC=fssotest,DC=com"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (match) $  end
      FGVM01SYNTAX0013 (dynaLDAP) $  next
      FGVM01SYNTAX0013 (group) $  edit "dynaUser"
      FGVM01SYNTAX0013 (dynaUser) $  set member "taj-local-user"
      FGVM01SYNTAX0013 (dynaUser) $  next
      FGVM01SYNTAX0013 (group) $  end
      FGVM01SYNTAX0013 (v1) $  config firewall policy
      FGVM01SYNTAX0013 (policy) $  edit 1
      FGVM01SYNTAX0013 (1) $  unset groups
      FGVM01SYNTAX0013 (1) $  set groups "dynaFSSO" "dynaLDAP" "dynaUser"
      FGVM01SYNTAX0013 (1) $  next
      FGVM01SYNTAX0013 (policy) $  end
      FGVM01SYNTAX0013 (v1) $  end
      
      
      ---> generating verification report
      <--- done generating verification report
  5. After the install is finished, the FortiGate VDOMs get the correct user groups.
    • Root VDOM

    • v1 VDOM