New Member

Solved

FSSO user logon Problems

Forum|Forum|10 years ago
August 20, 2015
3 replies
18989 views

Hello,

i have some strange problems on a 200A 4.0 MR Patch 15.

The FSSO is Runnig with a DC Agent on Domain Controller. DC Agen Version 4.3.0129

so the Problem is... The DC Agents collects the User Logons Properly u can see all the users on "Show logon users", The DC Agent is connected to the Fortigate and if i do diag debug authd fsso server-status it is "connected"

But the user logons are not passed to the Fortigate. if i do diag debug authd fsso list = there is no users, so my FSSO Firewall policy doesn´t work.

do anyone have an idea how to solve this?

4.0MR3

Best answer by xsilver_FTNT

Hello,

as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.

So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:

[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"

Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..

Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.

Kind regards, Tomas

Sylvia

Explorer

Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...

And how does the config look like on the Fortigate?

Especially this part in the CLI:

show user fsso

Regards,

Sylvia

HolyAuthor

New Member

Hello, it look like this 172.16.1.25 is the DC Agent on the Domain Controller.

config user fsso

    edit "FSSO_172.16.1.25"

        set password ENC NJuMLHH7eY5Qr+B1LcngXhjai9jjV/JoRNWd6k3RPF6IHB/lgZI+GVcJOd+OVCXu3W9TzFKgcT/jSX+p9W+stNx1+vz3zKih6sRKUF3dZTobvfZF

        set server "172.16.1.25"

    next

end

i do have Group Filter on the Collector Agent with only Groups that i need have to be synchronised

This is the Output of config user adgrp

config user adgrp

    edit "Example/ACCESS-INTERNET-ADVANCED"

        set server-name "FSSO_172.16.1.25"

    next

    edit "Example/ACCESS-INTERNET-BASIC"

        set server-name "FSSO_172.16.1.25"

    next

    edit "Example/ACCESS-INTERNET-FULL"

        set server-name "FSSO_172.16.1.25"

    next

    edit "Example/ACCESS-INTERNET-NONE"

        set server-name "FSSO_172.16.1.25"

    next

diag deb auth fsso server-status

 # diag deb authd fsso server-status

 # 2015-08-20 17:01:29

Server Name			     Connection Status     Version

-----------			     -----------------     -------

2015-08-20 17:01:29 FSSO_172.16.1.25                     connected             FSSO 4.3.0129

diag debug Flow

 # diag deb authd fsso refresh-groups

 # 2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."

2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"

2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."

2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"

2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."

2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"

2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."

2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"

Sylvia wrote:
Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...

And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso

Regards,
Sylvia

Fishbone_FTNT

Staff

Sylvia wrote:
Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...

And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso

Assuming you checked FSSO CA logs .... Sylvia is right, problems are most likely in group filters.

Here is small overview how it works:

Group filter is list if groups exchanged between Fortigate and FSSO CA which members of groups should be sent to Fortigate. Both Fortigate and FSSO CA can configure this filter. This filter could be in Windows notation, or LDAP groups notation.

From Fortigate you can however specify only LDAP group filter (by selecting LDAP server and groups in FSSO CA configuration).You can find this group list in "config user adgrp". It's not well known this list could be (at your own risk) edited since FortiOS 5.0.4. It might come handy in multidomain environments with single FSSO CA.

In FSSO CA the group filter is organized in registry, based on SN of the unit which connected to it.

It is preferred group filter sent (if configured to do so) from Fortigate. In that case FSSO CA saves this filter in registry under Fortigate's serial number. It's always overwritten (keep in mind this if you use multi-vdom scenario connecting to the same FSSO CA).

It might come handy to specify so called default filter, which is sent to all connecting Fortigates, but only if there is neither specific SN-based filter on CA, nor the filter is received from Fortigate.

Now we have explained how group filters work. But now it also depends how groups are evaluated in FSSO CA! We distinguish between Standard mode (windows group resolution) and Advanced mode (LDAP group resolution). Since users' groups have to match group filter, FSSO CA AD mode has to match too. If group filter is in Windows notation, you have to set Standard mode. If you set group filter with LDAP groups, you have to use Advanced mode.

Let me know if you have more questions.

Cheers,

Ales

xsilver_FTNTAnswer

Staff

Hello,

as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.

So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:

[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"

Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..

Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.

Kind regards, Tomas

HolyAuthor

New Member

So Problem Solved but it was realy not easy :=)

We tried with an System Engineer from Fortinet Support 2h together and tried everything, i think this was just some kind of a bug of this old versions.

After deleting and reinstalling all again it works now, but no one knows what was the real Problem and if that will occur again soon.

I hope it will work for 2 Month from now, then we do a Migration to 200D and everything should be ok.

Thank you all for your Help!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded