Skip to main content
DamianLozano
DamianLozano
New Member
January 6, 2021
Question

Sync with AD troubleshooting

  • January 6, 2021
  • 1 reply
  • 11969 views

Hello people,

 

Happy new year!!

This is a Fortigate 60F with latest firmware: 6.4.4

I could setup the fortigate to sync with AD without the agent, using the polling method, with an external connector, it is working.

If I go to "Dashboard -> FortiView Sources", I can see if each PC has an AD user, I also can check for a machine, which IPv4 policies is using, so I can know which policy is it matching.

But I wonder if there is another method to know if that synchronization is working fine or if an specific user has any kind of problem with this, from the Fortigate (cli or gui)

If a user does not match any IPv4 policy that it is supposed that should this match, how can I check why?

 

Thanks in advance

Regards,

Damián

 

 

    1 reply

    Alivo__FTNT
    Staff
    Alivo__FTNT
    Staff
    January 7, 2021

    Hello Damián,

     

    You can setup firewall policy without fsso user group from same src/dst and all as it is configured for

    the actual fsso policy and place it below the fsso policies. Any IP matching this new policy is one

    not being authenticated. That's an example.

     

    Best Regards, Alivo

     

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    January 7, 2021

    - To see what policy is being matched for a user (after all, FSSO etc. are just means to map AD username to IP address, the security policies work with IPs, not usernames), the universal for any policy-related debug goes:

    diagnose debug flow filter <filtering param>

    diagnose debug flow show function-name enable

    diagnose debug flow trace start

    diagnose debug enable

     

    - With any external server authentication, regardless what it is:

    diagnose debug app fnbamd -1

    diagnose deb enable

    This will give the details of "chat" session of Fortigate with external server.

     

    - For general health status of Fortigate connection to the AD DC (look for local Agent status):

    diagnose debug authd fsso server-status

     

    DamianLozano
    DamianLozanoAuthor
    New Member
    January 7, 2021

    Thank you for sharing your knowledge,

     

    For the first list of commands, I did know about "diagnose debug flow" but I din not know about this line:

    diagnose debug flow show function-name enable

    Thanks, I think I will use "FortiView Sources - Policies" from the gui

     

    About the second list of commands, I assume that this should show the dialog between the fortigate unit and the domain controller on this case, I cannot understand anything of the output

     

    "diagnose debug authd fsso server-status" works and show me this:

    Server Name - Connection Status - Version - Address ----------- ----------------- ------- ------- Local FSSO Agent - connected - FSAE server 1.1 - 127.0.0.1

     

    I think this is like the gren arrow up or the red arrow down in the gui, I am right?

     

    Regards,

    Damián

    Terms & ConditionsAccessibility statement