Skip to main content
GDumaresq
GDumaresq
New Member
January 29, 2020
Question

Users are not getting de-authenticated after logoff

  • January 29, 2020
  • 1 reply
  • 9143 views

Hi everyone !

 

We're using FSSO (DC-Agent mode) to give access (or not) to the internet through our Fortigate with the use of Windows (AD) groups. But i noticed that computers will still have access to the internet even after a user (with permissions) has logged off and another user (without permissions) logs in.

 

I know i can de-authenticate the first user manually from the menu Monitor - Firewall User Monitor, but isn't that supposed to be done automatically after a while ?!?

 

We have the following setup in the Timers section of FSSO :

Workstation verify interval (minutes) : 5

Dead entry timeout interval (minutes) : 480

IP address change verify interval (minutes) : 60

Cache user group lookup result is un-checked

 

Am i missing something ?

 

If so, what is it ?!?

 

Thanks for your help ! 

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 6, 2020

    Hi,

    normally there is not much as logoff event, especially on older Windows.

    However there is WMI API in windows, which might give us hints about logouts.

    So on standalone Collector Agent > Advanced Settings > Workstation Check > 'Use WMI to check user logoff' tick this checkbox.

     

    Another hints to timers:

    - if new logged in user is spotted by FSSO, then this new logon should overwrite existing (old) one, and therefore workstation should have new user in the list since his logon

    - if there is logoff without new login, or non-FSSO user logged in, then if workstation verification works OK, then for next X minutes (Workstation verification interval), there will be allowed traffic. If the verification works OK, and user is not found on workstation, then it is supposed to get cleared out of the FSSO user records, and such artificial logoff propagated to connected FortiGates.

    - if workstation verification fails, and there is no new logon, then current state will be kept and user considered as still logged on without ability to verify him for Y minutes (Dead entry timeout).

     

    Suggestions:

    - use WMI for logoff detection

    - make sure Workstation verification shows OK on Show Logon Users (on Collector)

    - consider Timers according to your needs and network setup. And maybe, for unverified workstations, consider shorted Dead entry timer. Zeroes instead of minutes disable those timers.

     

    GDumaresq
    GDumaresqAuthor
    New Member
    February 6, 2020

    Thanks for your reply xsilver !

     

    It turns out our main issue was related to the "Set Ignore User List" not being configured properly. And it has been fixed.

     

    But there is still a small issue with the following scenario :

    1. A user with permissions (member of one of the "Group Filters" list) logs on to a domain computer and has access to the internet (which is fine).

    2. The user then logs off that computer (not detected by the FSSO Collector even if I checked the "'Use WMI to check user logoff".

    3. If someone then logs on to that computer with a local account (not domain), the internet access is still active on that computer from the first user who logged on.

     

    But then again, it's not a big issue because a very tiny amount of our users have access to the local computer accounts.

     

    Thanks again, have a good day !

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 6, 2020

    Hi,

    described scenario is one of few where such user can get temporary access to protected resources.

    I hate this term but it actually is "by-design".

    As FSSO pre-authenticate source IP of the computer on your FortiGate.

    And it will be seen as valid until there is either one of following triggers:

    - new domain logon spotted by FSSO overwriting actual (old in this case) user record

    - workstation check verifies that expected user is not logged on anymore

    - workstation check failed and dead entry timer timed out

    - manual removal by admin, either by clear on collector or selective clear on FortiGate

    - WMI logoff spotted and processed

     

    To minimize impact in your scenario and limit attack vectors, you can:

    - narrow down or completely restrict access to local accounts on workstations (with limited amount of admins)

    - shorten workstation check to fire user out more quickly, but keep in mind it has its price in network usage

    - shorten dead entry timer to prevent usage when workstation check fails (new local user logged in blocked verification to prolong his "authenticated" stay as dead entry, much longer timer, will apply).

     

    Terms & ConditionsAccessibility statement