Skip to main content
roootccc
roootccc
New Member
November 9, 2018
Question

FSSO issue

  • November 9, 2018
  • 2 replies
  • 6129 views

We often encounter user not being captured by FSSO thus traffic was deny.

We would like to confirm if user was being dead entry at that time but i cant seem to find anywhere that i can monitor dead entry host/user. Is here anyway i can confirm if a user/host is being lock as dead entry ? 

    2 replies

    neonbit
    neonbit
    New Member
    November 9, 2018

    How are you doing FSSO? Are you polling the DC from the FortiGates or are you using a collector agent? If you're using the collector agent you'll be able to see which users are logged in and which have dead entries.

    Fishbone_FTNT
    Staff
    Fishbone_FTNT
    Staff
    November 9, 2018

    Hi, dead entry is simply gone - it's dead :)

     

     

    Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

     

    If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

     

    Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

     

    hth,

    -Fishbone

    roootccc
    roootcccAuthor
    New Member
    November 12, 2018

    Fishbone wrote:

    Hi, dead entry is simply gone - it's dead :)

     

     

    Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

     

    If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

     

    Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

     

    hth,

    -Fishbone

    We are using this mode. Is this CA ? 

    seshuganesh
    Staff
    seshuganesh
    Staff
    May 11, 2022

    Hi Team

     

    This has posted long time but it could help some one who is facing issue now.

    This type of issue mostly related to the DNS server which is configured in AD server, lets say if the DNS records in the AD server are not updated properly with the correct IP if they point to wrong IP, wrong ip will mapped with user name in the log on user list of FSSO.

    Its better to focus on DNS records in AD server for these type of issues.

    You can check and keep us posted

    Terms & ConditionsAccessibility statement