Chapter 3 Authentication for FortiOS 5.0 : Agent-based FSSO : Configuring the FSSO Collector agent for Windows AD : Configuring FortiGate group filters
  
Configuring FortiGate group filters
FortiGate group filters actively control which user logon information is sent to each FortiGate unit. You need to configure the group filter list so that each FortiGate unit receives the correct user logon information for the user groups that are named in its security policies. These group filters help limit the traffic sent to the FortiGate unit, and help limit the logon events logged.
The maximum number of Windows AD user groups allowed on a FortiGate depends on the model. Low end models up to 300A support 256 Windows AD user groups, where mid and high end models support 1024 groups. This is per VDOM if VDOMs are enabled on the FortiGate unit.
You do not need to configure a group filter on the Collector agent if the FortiGate unit retrieves group information from Windows AD using LDAP. In that case, the Collector agent uses the list of groups you selected on the FortiGate unit as its group filter.
The filter list is initially empty. You need to configure filters for your FortiGate units using the Add function. At a minimum, create a default filter that applies to all FortiGate units without a defined filter.
 
If no filter is defined for a FortiGate unit and there is no default filter, the Collector agent sends all Windows AD group and user logon events to the FortiGate unit. While this normally is not a problem, limiting the amount of data sent to the FortiGate unit improves performance by reducing the amount of memory the unit uses to store the group list and resulting logs.
To configure a FortiGate group filter
1. From the Start menu select Programs > Fortinet > Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
2. In the Common Tasks section, select Set Group Filters.
The FortiGate Filter List opens. It has the following columns:
FortiGate SN
The serial number of the FortiGate unit to which this filter applies.
Description
An optional description of the role of this FortiGate unit.
Monitored Groups
The Windows AD user groups that are relevant to the security policies on this FortiGate unit.
Add
Create a new filter.
Edit
Modify the filter selected in the list.
Remove
Remove the filter selected in the list.
OK
Save the filter list and exit.
Cancel
Cancel changes and exit.
3. Select Add to create a new filter. If you want to modify an existing filter, select it in the list and then select Edit.
4. Enter the following information and then select OK.
Default filter
Select to create the default filter. The default filter applies to any FortiGate unit that does not have a specific filter defined in the list.
FortiGate Serial Number
Enter the serial number of the FortiGate unit to which this filter applies. This field is not available if Default is selected.
Description
Enter a description of this FortiGate unit’s role in your network. For example, you could list the resources accessed through this unit. This field is not available if Default is selected.
Monitor the following groups
The Collector agent sends to the FortiGate unit the user logon information for the Windows AD user groups in this list. Edit this list using the Add, Advanced and Remove buttons.
Add
In the preceding single-line field, enter the Windows AD domain name and user group name, and then select Add. If you don’t know the exact name, use the Advanced button instead.
The format of the entry depends on the AD access mode (see “Configuring Directory Access settings”):
Standard: Domain\Group
Advanced: cn=group, ou=corp, dc=domain
Advanced
Select Advanced, select the user groups from the list, and then select Add.
Remove
Remove the user groups selected in the monitor list.