FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Article Id 191852

Description
This article describes two possible sources of group information with an explicit proxy setup and Kerberos authentication, and possible issues that may arise from this.

Solution
FortiGate and FortiProxy support Kerberos authentication for explicit proxy connections.

This includes gathering information about user groups to match individual users into the appropriate policies.
Under some circumstances, FortiGate/FortiProxy might show an unexpected user group or not perform a proper lookup against LDAP when one is expected.

- Proxy users may show with only one group in the authenticated user list, their primary group as defined on LDAP/Active Directory.

# dia wad user list

- FortiGate may miss any other group memberships, even if those are used in policies with higher priority, causing users to match unexpected policies.

This may be caused by the pac-data setting:

# config user krb-keytab
    set pac-data enable
end

This setting allows FortiProxy/FortiGate to draw additional information (including group information) from the Kerberos tickets involved in authentication.
This causes it to NOT perform an actual lookup against LDAP, which means group membership information may be missed if not included in the Kerberos ticket.

Wad debug can help pinpoint this.

# dia wad filter src <IP address>
# dia wad debug en cat auth
# dia wad debug en cat policy
# dia wad debug en level verbose
# dia de en

Wad debug will NOT show an actual group lookup against LDAP; it will instead show users matching a cached group.
This will still be the case if the group cache is disabled:

# config web-proxy global
    set ldap-user-cache dis
end

- This is a strong indicator that the pac-data setting is used and responsible for mismatches: If wad debug still shows users matching against cached results, even with the group cache disabled and the service restarted.