Use Active Directory objects directly in policies Use Active Directory objects directly in policies Active Directory (AD) groups can be used directly in identity-based firewall policies. You do not need to add remote AD groups to local FSSO groups before using them in policies. FortiGate administrators can define how often group information is updated from AD LDAP servers. To retrieve and use AD user groups in policies: Set the FSSO Collector Agent AD access mode Add an LDAP server Create the FSSO collector that updates the AD user groups list Use the AD user groups in a policy Set the FSSO Collector Agent AD access mode To use this feature, you must set FSSO Collector Agent to  Advanced  AD access mode. If the FSSO Collector Agent is running in the default mode, FortiGate cannot correctly match user group memberships. Add an LDAP server When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials. To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See  Configuring an LDAP server  and  Configuring client certificate authentication on the LDAP server . Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See  Configuring least privileges for LDAP admin account authentication in Active Directory . To add an LDAP server in the GUI: Go to  User & Authentication > LDAP Servers . Click  Create New . Configure the settings as needed. If secure communication over TLS is supported by the remote AD LDAP server: Enable  Secure Connection  . Select the protocol. Select the certificate from the CA that issued the AD LDAP server certificate. If the protocol is LDAPS, the port will automatically change to 636. Click  OK . To add an LDAP server in the CLI: config user ldap edit "AD-ldap" set server "10.1.100.131" set cnid "cn" set dn "dc=fortinet-fsso,dc=com" set type regular set username "cn=Administrator,cn=users,dc=fortinet-fsso,dc=com" set password XXXXXXXXXXXXXXXXXXXXXXXX next end Create the FSSO collector that updates the AD user groups list To create an FSSO agent connector in the GUI: Go to  Security Fabric > External Connectors . Click  Create New . In the  Endpoint/Identity  section, click  FSSO Agent on Windows AD . Fill in the  Name Set the  Primary FSSO Agent  to the IP address of the FSSO Collector Agent, and enter its password. Set the  User Group Source  to  Local . Set the  LDAP Server  to the just created  AD-ldap  server. Enable  Proactively Retrieve from LDAP Server . Set the  Search Filter  to  (&(objectClass=group)(cn=group*)) . The default search filter retrieves all groups, including Microsoft system groups. In this example, the filter is configured to retrieve  group1 ,  group2 , etc, and not groups like  grp199 . The filter syntax is not automatically checked; if it is incorrect, the FortiGate might not retrieve any groups. Set the  Interval (minutes)  to configure how often the FortiGate contacts the remote AD LDAP server to update the group information. Click  OK . To view the AD user groups that are retrieved by the FSSO agent, hover the cursor over the group icon on the fabric connector listing. To create an FSSO agent connector in the CLI: config user fsso edit "ad-advanced" set server "10.1.100.131" set password XXXXXXXXXXXXXX set ldap-server "AD-ldap" set ldap-poll enable set ldap-poll-interval 2 set ldap-poll-filter "(&(objectClass=group)(cn=group*))" next end You can view the retrieved AD user groups with the  show user adgrp  command. Use the AD user groups in a policy The AD user groups retrieved by the FortiGate can be used directly in firewall policies.