I have been setting up a lot of Fortigate’s recently and on my first few had issues with the settings for LDAP i found that it was tricky to remember the correct settings and also typing out the long LDAP Strings can be a bit tricky and cause typo’s.
- Logon to the fortigate and go to the Users -> Remote -> LDAP (Create New)
- Fill in a Name for the connector
- Fill in the IP Address of the server that has LDAP Installed
- Change the Common Name Identifier to: sAMAccountName
- Enter the Distinguished Name if your domain was domain.local the distinguished name would be: DC=domain,DC=local
- Make your Bind Type Regular
- In the User DN Box you must type the full path to the user e.g. if you user is domain.local/users/service accounts/fortigate you would need the following: CN=fortigate,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=domain,DC=local
- type the password for your service account
This should be all that you require. one thing to keep an eye on is typo’s when doing the User DN this will stop you from being able to logon with an SSL-VPN or anything for that matter!
If you get an error in the logs for SSL-VPN saying no_matching_policy then you will have a typo somewhere.
Ok so i had a customer that wanted to block iGoogle but allow google which turns out to be tricky as the only way to tell the difference is by the gadgets and the title bar.
i tried to do some research about iGoogle: every sites of iGoogle what I tested has the same title in html source code. Exactly: <title>iGoogle</title>
So you can use DLP sensor to detect this title in http request and block this sites. I have tested this on a FortiGate-60B with 4.2.3 version of firmware.
I tried to solve this problem over application control, web content filter and FortiGuard web filter but I didnt find solution here.