FSSO Loses User Logins Periodically

Question

I'm running FortiGate's and FAC and I use DC Agents on my domain controllers pointing back to FAC. I have some policies in my FG's that reference FSSO groups. Multiple times per week I find that FAC, and therefore FortiGate, lose track of currently logged in users. This is a problem of course for any fw policies I've written that reference that user account - they stop getting the specified access.

One thing I've noticed in FAC (ver v4.00-build0081-20160601-patch00) is that under Monitor/SSO/FortiGates I notice that the connection time next to my firewall is a couple of days old. Should that Date/Time be pretty recent, or does that even matter?

Another thing is we use a particular endpoint protection suite that causes a service account to appear to log into that machine, overwriting the currently logged in user. I've made use of Fine-grained controls to excluded non-user accounts from SSO but those accounts still appear in the firewall (User & Device/Monitor/Firewall). Not sure if that is related or not.

I'd be interested to know anyone's experiences troubleshooting inconsistencies with DC Agent/FAC/FSSO/FortiGate policies user login status.

Thanks in advance!

xsilver_FTNT · Answer

Q: "connection time next to my firewall is a couple of days old. Should that Date/Time be pretty recent, or does that even matter?"

A: no, it should not. It not the last seen/connected, it's "connected since" timer, so it's pretty good that it last at least few days. It can last months or years. FortiGate and Collector (in this case FortiAuthenticator - FAC hereinafter) do keep connection open and sends keep-alive packets every some 10 sec. So they should be connected for ages. Any more recent date mean that there was connection break/problem or unit restart.

Q: service accounts appearing on FGT FSSO user list

A: those will overwrite existing user, making the user changed on related source IP and if there is workstation check, then when action of that service account ends, that user is no longer present on workstation. Normal user can continue working on the workstation, but if there is no further logon event of that regular user, then last seen is that service account user, and workstation check will be looking for that service account. As it will be no longer present/acting then user will not be found and considered as logged off. And FSSO record removed rightfully as accordingly.

Use of fine grained control and service account exclusion is the right way, but has to be done a proper way.

There are actually two different kinds of "excluded user": - A valid user (such as an admin) that logon to a workstation which is previously used by a different user. In this case FAC should logoff the old user because a workstation can have only one logon user at the same time. - A background user (such as a service account) that does not logon to the workstation but just works at background and leaves some trace in event log. In this case such logon event should be totally ignored and not interfere with existing user.

To differentiate these two kinds of "excluded users", in 4.0.1 we allow importing SSO users with either "DN" or "Username": - Import with "DN" and exclude: the logon user will be ignored but the old user will also be logged off. Can be excluded only after LDAP query = slow down LDAP (and previous DNS). - Import with "Username" and exclude: the logon event will be totally ignored and the old user will not be affected. Will be completely excluded even from usual later DNS and LDAP processing.

Therefore from above you should import those service accounts as "Username". So the regular user will be kept logged and not overwritten by background service account.

Those service logons and FSSO user list overwrites seems to me as the most probable source of your issues with FSSO.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded