Fortigate – Recognise Active Directory Users, Windows Server 2019

Reading through some googled stuff and one youtube vid to find out how it works.

Log on with your Fortigate account at

Yes you should have an account to get to the firmwares and downloads.

(edit: Click tab Download, Select Fortigate, then browse to / FortiGate/ v5.00/ 5.4/ 5.4.0/ FSSO/  and click “HTTPS”, not checksum )

Get the file “FSSO_Setup_5.0.0287_x64.exe”  at the Download tab.

At the moment this is the latest version.

I set up a service account in AD first and used that info when running the installer.
(You are asked to provide domain user credentials, it believe it must be a user that can at least read the security logs)

I installed the agent with default settings.

I finished the installer on my fresh DC (it being a windows server 2019).

Be sure to set a password for communications between the agent and the Fortigate.

You have to tweak the firewall to let the traffic of this FSSO client through to the Fortigate. Port 8000, 8001, 8002.

Next you configure a Fortinet Single Sign-On Agent in the “Security Fabric/Fabric Connectors” of your Fortigate.

These two should talk to each other now.

Considerations for the Agent:

  • You may increase the log file settings to 50Mb or instead of the default 10 Mb.
  • Click Show Monitored DC’s and then click “Select DC to Monitor” and select all your DC’s for polling
  • You can add a group filter, or add an ignore list to reduce traffic

Next you need to add a group in the Fortigate User & Device / User Groups

Select Create New, Select FSSO at the type of group.

When you want to add users to this group you can select and AD user, e.g. Domain Users

Now you can recognise AD users using this group, let them through to internet in a policy, etc.

Hope this helps you.


This entry was posted in News. Bookmark the permalink.