Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

Created on ‎03-23-2021 12:43 PM

LDAP Connected but I cannot assign in Firewall any AD groups

Hi,

I have addedd my AD LDAP it have status connected, now I would like to create firewall policy with source as AD users groups, but I have not here any group from AD listed, how could I troubleshoot this?

12069
0 Kudos
17 REPLIES 17
Alivo__FTNT
Staff
Staff

Created on ‎03-24-2021 03:01 AM

Hello Tutek,

 

Have you added the AD groups in a user group(s)? The user groups should then be visible in firewall policies.

Best Regards,

Alivo

livo

6323
0 Kudos
Tutek_OLD
New Contributor
In response to Alivo__FTNT

Created on ‎03-24-2021 03:34 AM

Hi, I created local groups and assign this group to remote NPS server the same name group.

 

6323
0 Kudos
Yurisk
Valued Contributor
In response to Tutek_OLD

Created on ‎03-24-2021 04:55 AM

You can't mix local and LDAP users in the same group. Create new user group and put there as member the LDAP object you created, then use this group in src in rules.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
6323
0 Kudos
Tutek_OLD
New Contributor
In response to Yurisk

Created on ‎03-24-2021 05:01 AM

I did like that:

 

because I would SSL VPN authenticate users that are in NPS VPN-Admins group

6323
0 Kudos
Tutek_OLD
New Contributor
In response to Tutek_OLD

Created on ‎03-24-2021 11:14 PM

as you can see regarding this KB:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/795593/use-active-directory-objects-dire...

is possible to choose AD groups in firewall policy.

When I create firewall policy in users then select entry-->User here I don't have listed my AD groups, why?

6323
0 Kudos
Alivo__FTNT
Staff
Staff
In response to Tutek_OLD

Created on ‎03-25-2021 10:54 PM

Hello Tutek, The doc is about fsso. Not LDAP. Although you may see it as LDAP groups which in fact these are,

they belong to different table in FortiGate > adgrp. This is used for passive authentication > Fortinet Single Sign On.

Since you added LDAP groups, as you wrote in your initial post, you have chosen active authentication > meaning users will be prompted for their credentials.

What is your goal exactly?

Best Regards,

Alivo

livo

6323
0 Kudos
Tutek_OLD
New Contributor
In response to Alivo__FTNT

Created on ‎03-26-2021 12:03 AM

I would have ability choose my pooled AD group directly in firewall policy, as shown here 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/795593/use-active-directory-objects-dire...

I have configured agentleess pooling to my domain controller, and checked two AD group to pool, but when create firewall policy when i click source then Select Entry "User", but I don't see here any of my AD groups.

6323
0 Kudos
Alivo__FTNT
Staff
Staff
In response to Tutek_OLD

Created on ‎03-26-2021 01:01 AM

Hello Tutek,

1. which firmware are you using?

2. What is the source interface in the policy

3. what is the output of: sh us adgrp

 

Thank you.

Best Regards,

Alivo

 

livo

6312
0 Kudos
Tutek_OLD
New Contributor
In response to Alivo__FTNT

Created on ‎03-26-2021 02:14 AM

1.v6.4.5 build5653 (GA)

2.I want to restrict Internet access only to pooled from AD "Domain users", so source interface is my LAN.

3.

FGT # sh us adgrp config user adgrp end

6323
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.