Troubleshooting Tip: SSO tool script for listing managed networks

This article describes how to download and run a script that lists the networks on a FortiGate that are managed by the appliance. The script is for troubleshooting purposes.

These managed networks are used by the appliance when determining to which FortiGate SSO messaging should be sent. For example, if the IP address of a host whose status has changed is within one of the networks listed, the appliance sends messaging to the FortiGate configured for that network.

For more details on Security Fabric communication, see the Fortinet Security Fabric reference manual.

v8
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/6cb09363-f69a-11ea-96b9-00505692583a/FortiNAC_Security_Fabric_Integration_Guide.pdf 

v9
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/531a1ca6-b168-11eb-b70b-00505692583a/FortiNAC_Security_Fabric_Integration_Guide_v9.pdf 

1. Download the attached script file (ssoTargets.zip).

2. Using WinSCP or a similar program, upload the script to appliance under /bsc/logs directory.  Use SCP transfer protocol.

3. Login as root to the appliance CLI and type
cd /bsc/logs

4. Extract the file, make it executable and remove any hidden characters. Type

unzip ssoTargets.zip

chmod 755 ssoTargets.sh
dos2unix ssoTargets.sh

5. Run the script. Type
ssoTargets.sh

It may take a few moments before results are displayed. The output will be similar to below.

> ssoTargets.sh

####################################
# FGT-Branch - 10.12.240.13 - 5557 #
####################################
10.10.10.0/24
10.12.240.12/30
10.12.243.0/26
172.16.98.96/27
172.7.13.0/24
172.8.13.0/24

#################################
# FGT-Core - 10.12.240.5 - 6965 #
#################################
10.10.10.0/24
10.12.240.20/30
10.12.240.24/30
10.12.240.28/30

Example: A registered host connects to the network and obtains an IP address of 172.7.13.8. The appliance would send a Logon event SSO message to IP address 10.12.240.13.