This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Denis_Romanov
Employee
Employee
‎2022-04-21 11:57 PM

Fortinet User configuration

Hi! I have a Fortigate configuration (v.6.09) and trying to convert AD groups however it seems those are just ignored in the conversion process for some reason. I've specified an LDAP Account Unit (which is needed to generate a valid mgmt_cli commands) but Access Roles are not created during the conversion. 

Here is how it looks in Fortigate config:

    edit "AD_group_test"
        set member "AD_LDAP_AU"
        config match
            edit 1
                set server-name "AD_LDAP_AU"
                set group-name "CN=AD_group_test,OU=InfoSec,OU=Test,OU=Groups,OU=DC01,DC=test,DC=local"
            next
        end

 And this group is used in the Firewall policy:

    edit 20911
        set uuid 0e48bc7a-bf0b-51ec-d77a-8de1cc2533c7
        set srcintf "any"
        set dstintf "any"
        set srcaddr "Private_nets"
        set dstaddr "10.0.0.1" "10.0.0.2" "10.0.0.3" "Net_10.0.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "AD_group_test"
        set global-label "General rules"
    next

 But SmartMove doesn't generate any Access Role objects (x0)..

Any input on what may be wrong here? From Release Notes it seems that it should be supported..
I'm using the latest SmartMove version 6.0.8068.6581.

Labels
0 Kudos
5 Replies
Ofir_Shikolski
Employee
Employee
‎2022-04-24 12:03 AM

Hi,

SmatMove does not generate AD groups, you will need manually to generate it.

0 Kudos
Denis_Romanov
Employee
Employee
‎2022-04-24 12:23 AM
In response to Ofir_Shikolski

Hi Ofir!

Then could you please clarify what is meant by this statement in the SK?

Users
  • SmartMove cannot create LDAP account unit objects that are needed for the user configuration process. You will need to create this object manually and provide the name of this object to SmartMove for conversion.

 

Also this is confusing:

  • Only Firewall, NAT and Users/Groups configuration (AD) will be converted (including network objects, services, and schedules).

 

What users are converted?

0 Kudos
Ofir_Shikolski
Employee
Employee
‎2022-04-24 03:57 AM
In response to Denis_Romanov

Hi @Denis_Romanov ,

Can you please send me the config file? ofirs@checkpoint.com 

it is working for me 🙂

0 Kudos
Ofir_Shikolski
Employee
Employee
‎2022-06-13 10:41 PM
In response to Ofir_Shikolski

The issue was: not object were found in the config file.

0 Kudos
the_rock
Champion
Champion
‎2022-04-24 02:59 PM

Not sure why it fails for you...I did this conversion before and it converted everything.

0 Kudos
Labels