FortiGate Administration via AD Group (LDAP)

FortiOS Version: 5.6.0

  1. Create an AD Security Group in your Active Directory domain and populate it with users that you want to grant administrative access on the FortiGate. The group should be populated with a set of users that require the same level of administrative privileges.
  2. Create an LDAP server definition on the FortiGate that points to the AD server in the "User & Device -> LDAP Servers" config context. When using AD, you need to change the "Common Name Identifier" to "sAMAccountName".
    LDAP Server Definition
  3. Create a user group on the FortiGate that points to the AD Security Group via the LDAP server definition.
    1. Navigate to "User & Device -> User Groups" and click the "+ Create New" button.
    2. Type a name in the "Name" field to represent the local group definition which will point to the AD group.
    3. In the "Remote Groups" section, click the "+ Add" button.
    4. Select the LDAP server you defined in Step 2 in the "Remote Server" popup menu.
    5. Right click the AD Security Group you created and click "+ Add Selected."
    6. Click the "Selected" tab near the top to verify the correct AD group was added.
    7. Click the "OK" button at the bottom of the page. The result should look similar to the depiction below.
      User Group Definition
    8. Click the "OK" button at the bottom of the page.
    9. Your group definition should be in the list of groups, as the "AD-ADMINS" example below.
      User Group List
  4. If the default profiles do not meet your requirements, then create a new Admin Profile by navigating to "System -> Admin Profiles" and clicking the "+ Create New" button. Give the profile a name and select the rights you want to assign to the group. Click the "OK" button to save the config changes. Some of the options are shown below.
    Admin Rights Definition
  5. The final step is to create a definition to allow the LDAP administrators to login and administer the FortiGate.
    1. Navigate to "System -> Administrators" and click the "+ Create New" button.
    2. Give the administrator definition a name that represents the AD admins in the "User Name" field.
    3. Select "Match all users in a remote server group" as the administrator Type
    4. Select the "Administrator Profile" you created in step 4 or one of the predefined admin profiles
    5. Select the "Virtual Domains" you want the AD admins to be able to administer. If you select the predefined "super_admin" profile, there is no option to select VDOMs, as that profile grants all rights to the FortiGate
    6. Select the User Group you created in Step 3 in the "Remote User Group" popup
    7. Move the "Restrict login to trusted hosts" slider, if you want to restrict the source IPs allowed to login to this admin group. Then populate the subnets that are allowed for admin login
    8. Click the "OK" button at the bottom of the screen. Examples below:
      VDOM Admin Example
      Super Admin Example