The Lab wanted to achieve the below:
- Have two AD Users Group on On Premises AD – one to allow and one to deny users access to browse the website bbc.com
- Have Fortinet FSSO Agent installed on On Premises AD to sync users and groups from On Premises AD to Fortigate Firewall so I can create Firewall Policies directly using / referring AD Objects inside the Policies.
- Use the created Allow and Deny Policies respectively to Allow or Deny traffic to bbc.com based on AD Users Group Membership.
Userb denied correctly to browse to bbc.com even from Linux Host On Linux Host joined to OnPremises AD home_dir creation to new users upon login works correctly Usera correctly able to browse to the page bbc.com Linux Host correctly added to OnPremises AD domain hypervlab.local Userb correctly denied access to bbc.com AD Authentication Connection to Linux Host Fortigate SSO User Groups Created with Nested OnPremises AD Groups inside FSSO Agent from OnPremises AD Feeding Users to Fortigate Firewall correctly Setting up the FSSO Agent on the Fortigate Firewall * Already installed it on OnPremises AD* Able to login to Fortigate via LDAP Authentication through OnPremises AD Creating the LDAP Connection between Fortigate and OnPremises AD (II.) Creating the LDAP Connection between Fortigate and OnPremises AD
On Linux host specify the username with domain\username and use the password for the account to login.
Fortigate OS 7.0 explaining the same in the administraton guide:
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/795593/use-active-directory-objects-directly-in-policies