Configuring FortiGate group filters
FortiGate group filters actively control which user logon information is sent to each FortiGate unit. You need to configure the group filter list so that each FortiGate unit receives the correct user logon information for the user groups that are named in its security policies. These group filters help limit the traffic sent to the FortiGate unit, and help limit the logon events logged.
The maximum number of Windows AD user groups allowed on a FortiGate depends on the model. Low end models support 256 Windows AD user groups, where mid and high end models support 1024 groups. This is per VDOM if VDOMs are enabled on the FortiGate unit.
You do not need to configure a group filter on the Collector agent if the FortiGate unit retrieves group information from Windows AD using LDAP. In that case, the Collector agent uses the list of groups you selected on the FortiGate unit as its group filter.
The filter list is initially empty. You need to configure filters for your FortiGate units using the Add function. At a minimum, create a default filter that applies to all FortiGate units without a defined filter.
If no filter is defined for a FortiGate unit and there is no default filter, the Collector agent sends all Windows AD group and user logon events to the FortiGate unit. While this normally is not a problem, limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list and resulting logs.
To configure a FortiGate group filter:
1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet
Single Sign On Agent.
2. In the Common Tasks section, select Set Group Filters.
The FortiGate Filter List opens. It has the following columns:
FortiGate SN The serial number of the FortiGate unit to which this filter applies.
Description An optional description of the role of this FortiGate unit.
Monitored Groups The Windows AD user groups that are relevant to the security policies on this FortiGate unit.
Add Create a new filter.
Edit Modify the filter selected in the list.
Remove Remove the filter selected in the list.
OK Save the filter list and exit.
Cancel Cancel changes and exit.
3. Select Add to create a new filter. If you want to modify an existing filter, select it in the list and then select Edit.
4. Enter the following information and then select OK.
Default filter Select to create the default filter. The default filter applies to any FortiGate unit that does not have a specific filter defined in the list.
FortiGate Serial Number Enter the serial number of the FortiGate unit to which this filter applies.
This field is not available if Default is selected.
Description Enter a description of this FortiGate unit’s role in your network. For example, you could list the resources accessed through this unit. This field is not available if Default is selected.
Monitor the following groups
The Collector agent sends to the FortiGate unit the user logon information for the Windows AD user groups in this list. Edit this list using the Add, Advanced and Remove buttons.
Add In the preceding single-line field, enter the Windows AD domain name and user group name, and then select Add. If you don’t know the exact name, use the Advanced button instead.
The format of the entry depends on the AD access mode (see Configuring
Directory Access settings on page 572): Standard: Domain\Group
Advanced: cn=group, ou=corp, dc=domain
Advanced Select Advanced, select the user groups from the list, and then select
Add.
Remove Remove the user groups selected in the monitor list.
hello,
the domain controller on which fsso agent is installed could be in any vlan forexample, fortigate firewall is vlan 60 and DC on which agent is installed in vlan 50 and intervlan routing is enables we can ping the firewall from the domain controller but in this setup of different vlan the fsso agent should work with fortigate without any problem because there is L3 communication between them. i have issue the collector agent doesn’t track the domain logon users and ipv4 policy in fortigate based on fsso agent groups is not working and i cant keep both agent and firewall in same vlan they are in different vlans but this shouldnt be an issue. please advise as i am tired of debugging and fortigate TAC is also not taking this issue serious. if anyone could help please…
Regards
Hi Khan
FGT connect to FFSO agent via TCP port 8000 by default. As long as you allow traffic from vlan60 to vlan 50 with this port, the communication should be established
You can verify server status via CLI commands
FGT-VM-ESX-Router # diagnose debug enable
FGT-VM-ESX-Router # diagnose debug authd fsso server-status
FGT-VM-ESX-Router #
Server Name Connection Status Version
———– —————– ——-
FSSO connected FSAE server 1.1
Hth
Lee
Hi,
I´m having this issue, on my fortigate de SSO Server is disconnected and on FSSO Agent there are 0 fortigate connected. I already configured the LDAP Server and it´s working . Does anyone have any idea?
What all have you done for troubleshooting so far?