Firewall Policies with AD Groups

I'm running into a problem when creating firewall rules that apply to active directory groups. I went through the process of hooking up my domain to the firebox and was able to successfully test it with my user accounts. I also added the group I'm trying to target in the Users and Groups menu under Authentication. When I create the firewall policy, however, it doesn't work. It's a deny HTTPS packet filter policy that is from the AD group to a FQDN (*.amazon.com). Users in that group are still able to access the website. For testing purposes, I changed the policy to apply from any-trusted instead of the AD group and it worked as expected. This leads me to believe that the issue isn't with the policy configuration but rather with the link to the domain. Anyone have any ideas why this happening?


  • Options

    Please post a sample deny log message showing this

  • Options

    How are AD users authenticating to the firewall?
    Via SSO ?

  • Options

    I apologize. I should have followed up sooner. After doing research, I discovered that I didn't configure the SSO settings on the Firebox or my DC server. I was able to get it working. Thank you Bruce for responding!

Sign In to comment.