Skip to main content
yeowkm99
yeowkm99
New Member
August 3, 2022
Question

DNS server not updating

  • August 3, 2022
  • 3 replies
  • 6336 views

In our office network, we make use of fortinet FSSO to control Internet access per individual user.

After we login, our AD username and IP address will be logged by our firewall before we are able to access Internet.

We noticed that some times when user go to different office, their IP address will change. 

eg. from office 1,  PC01, 172.20.0.84 change to office 2, PC01, 172.30.0.74. If the AD DNS record does not update the hostname to the new office address PC01, 172.30.0.74, the user will have issues accessing Internet as the firewall log will only show 172.30.0.74 instead of ipaddress.JPGusername(172.30.0.74). 

the quick n fast way for us to solve this is do a ipconfig /renew or restart the PC, so that user will get the new IP address.

Is there any way to resolve this issue ? 

3 replies

Patterson
Staff
Patterson
Staff
August 3, 2022

Hi yeowkm99,

 

Can you please check on the FSSO collector agent under advance setting -> Windows security events logs . By default it will be 0, can you try changing the same to 2 as per the below KB.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in-WinSec-polling/ta-p/189910

 

Regards,

Patterson

yeowkm99
yeowkm99Author
New Member
August 3, 2022

currently set as 0. have change it to 2.

i saw event ID 4624 and 4634 in the event logs.

how does changing this value effect the user logon

Patterson
Staff
Patterson
Staff
August 3, 2022

Hi,

Changing the polling ID will help the agent to collect more security event ID, Agent requires workstation name on a security event to update the change in IP, Ideally  Kerberos as the authentication will not have the workstation name, so the agent use a combination of event ID  like 4768, 4769 to collect the workstation name.

yeowkm99
yeowkm99Author
New Member
August 4, 2022

after changing the value to 2, i still have users with the same issues. 

DNS record not updating when they switch to different location. 

I need to remove the older record in the DNS manager in my AD server. only after i remove the old DNS record, then they can access Internet. 

yeowkm99
yeowkm99Author
New Member
August 4, 2022

i have more than one FSSO collector agent servers.

have since changed the values on all the servers. 

pminarik
Staff
pminarik
Staff
August 4, 2022

"Standard FSSO" relies on DNS records being correct. If they're wrong/old, then FSSO will also have wrong/old information. There is simply no way to circumvent this if you're doing polling through event log/DC Agent.

 

If you have a FortiAuthenticator, consider using the FSSO Mobility Agent (feature of FortiClient). This does not depend on client DNS records.

Terms & ConditionsAccessibility statement