Skip to main content
zeki893
zeki893
New Member
July 30, 2016
Solved

Log & Report > Forward Traffic Logs not displaying user 5.4.1

  • July 30, 2016
  • 2 replies
  • 14108 views

I'm using 5.4.1. I setup fsso and trying to view user activity in forward traffic logs but the user column is blank. I know it is seeing the user because the policy allows that user and the web-filter logs display the user. Is this just a cosmetic bug in 5.4.1 or am I missing something here?

    Best answer by EntitledSuperUser

    So I got it to work by starting from scratch. This is what I did (maybe in not this exact same order)

    I am using two domain controllers for this, not sure if it matters but this is my scenario

     

    [ul]
  • Created one LDAP connection (Domain-1).
  • Created two Single Sign-On Connection: one connection (Domain-1) is a Poll Active Directory Server one that uses the LDAP server created above, so the IP and the LDAP server are the same (Domain-1). The other connection (Domain-2) is Fortinet Single-Sign-on Agent one, this uses the IP of my other DC but it uses the LDAP server from before (Domain-1); in this connection I selected the groups I want to monitor.
  • Installed the agent on Domain-2 (you have to reboot the server). I configured the following in here:[ul]
  • Monitor user logon events and Support NTLM Authentication
  • Show Monitor DC – Select DC to monitor – Selected Polling Mode using WMI and checked all my DC.
  • Set Directory Access Information to Advanced. In the Advanced settings I just enter the LDAP info (Domain-2)
  • Set Group Filters – it pulls the info from the FortiGate so I didn’t touch anything.
  • In my case because I am monitoring Citrix XenDesktops VMs I went to the Advanced Settings under the Citrix/Terminal Server tab and specified all the Citrix servers I am monitoring. I also installed the TS Agents on these servers and specified the Fortinet SSO Collector Agent IP/Port to be Domain-2:8002[/ul]
  • In the Fortigate under User & Device – Single Sign-On I can see that the status for both Domain-1 and Domain-2 are green.[/ul] [ul]
  • Under User & Device – User Groups – I created an FSSO Group and added the Active Directory members that I specified when I created the Single-Sign-On connection (Domain-2).[/ul] [ul]
  • Under IPv4 Policy I created another policy (User to Internet) on top of an existing policy (Lan to Internet) that allows my internal network to access the internet. I originally tried to edit the Source of my existing policy and add the FSSO group in there, however this caused some devastating issues because the users were not being authenticated and thus were not able to access the internet. So, if you make a new policy and put it on top of the existing one in the event that users don’t authenticate it will move to the next policy and still give them internet access.[/ul]

     

    The new policy I created has as the source an Address Group I created for my Citrix Servers and the FSSO group. I enabled the option to Log All Sessions. Once I got all this to work I enabled IPS, DLP, AV, Web-Filter, CASI. Once all that was working I enabled SSL/SSH Inspection.

     

    Log & Report – User Events is your friend. Forward Traffic Log if you see the user and the icon is blue means that it was authenticated, if it is red it wasn’t.

    • 2 replies

    EntitledSuperUser
    EntitledSuperUser
    New Member
    September 2, 2016

    I am having the same issue. I have a Citrix environment and when I check the Source column I see the username with the server name in there, but when I check the user column it is empty.

    washie
    washie
    New Member
    September 8, 2016

    Hi good day,

    I'm actually here because of the same issue, I’ve also setup fsso (polling) and added my users and groups but no user is showing up in the user column when I check the forward logs. Plus, I'm running the explicit proxy feature so I tried creating a user authentication policy to user Kerberos but anytime I hit apply the settings doesn’t save…….

     

    Can someone please help with this issue? I would really love to log user activity with active directory users.

    EntitledSuperUser
    EntitledSuperUserAnswer
    New Member
    September 8, 2016

    So I got it to work by starting from scratch. This is what I did (maybe in not this exact same order)

    I am using two domain controllers for this, not sure if it matters but this is my scenario

     

    [ul]
  • Created one LDAP connection (Domain-1).
  • Created two Single Sign-On Connection: one connection (Domain-1) is a Poll Active Directory Server one that uses the LDAP server created above, so the IP and the LDAP server are the same (Domain-1). The other connection (Domain-2) is Fortinet Single-Sign-on Agent one, this uses the IP of my other DC but it uses the LDAP server from before (Domain-1); in this connection I selected the groups I want to monitor.
  • Installed the agent on Domain-2 (you have to reboot the server). I configured the following in here:[ul]
  • Monitor user logon events and Support NTLM Authentication
  • Show Monitor DC – Select DC to monitor – Selected Polling Mode using WMI and checked all my DC.
  • Set Directory Access Information to Advanced. In the Advanced settings I just enter the LDAP info (Domain-2)
  • Set Group Filters – it pulls the info from the FortiGate so I didn’t touch anything.
  • In my case because I am monitoring Citrix XenDesktops VMs I went to the Advanced Settings under the Citrix/Terminal Server tab and specified all the Citrix servers I am monitoring. I also installed the TS Agents on these servers and specified the Fortinet SSO Collector Agent IP/Port to be Domain-2:8002[/ul]
  • In the Fortigate under User & Device – Single Sign-On I can see that the status for both Domain-1 and Domain-2 are green.[/ul] [ul]
  • Under User & Device – User Groups – I created an FSSO Group and added the Active Directory members that I specified when I created the Single-Sign-On connection (Domain-2).[/ul] [ul]
  • Under IPv4 Policy I created another policy (User to Internet) on top of an existing policy (Lan to Internet) that allows my internal network to access the internet. I originally tried to edit the Source of my existing policy and add the FSSO group in there, however this caused some devastating issues because the users were not being authenticated and thus were not able to access the internet. So, if you make a new policy and put it on top of the existing one in the event that users don’t authenticate it will move to the next policy and still give them internet access.[/ul]

     

    The new policy I created has as the source an Address Group I created for my Citrix Servers and the FSSO group. I enabled the option to Log All Sessions. Once I got all this to work I enabled IPS, DLP, AV, Web-Filter, CASI. Once all that was working I enabled SSL/SSH Inspection.

     

    Log & Report – User Events is your friend. Forward Traffic Log if you see the user and the icon is blue means that it was authenticated, if it is red it wasn’t.

      • Terms & ConditionsAccessibility statement