Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Debbie_FTNT
Staff
Staff

Created on ‎08-28-2024 02:53 AM Edited on ‎09-26-2024 12:53 PM By Moderator

Article Id 337001

Troubleshooting Tip: Basic FortiAuthenticator troubleshooting tools

Description

 

This article describes some basic troubleshooting tools available on FortiAuthenticator.

 

Scope

 

FortiAuthenticator up to firmware version 6.6.x.

 

Solution

 

FortiAuthenticator provides some troubleshooting options.

These include:

  • Event Logs.
  • Monitor section.
  • Debug logs.
  • Limited CLI commands.
  • Packet capture.

This article touches on each and includes a note on suggested use cases for troubleshooting.

 

No matter what troubleshooting options are used, as the first step to isolate any problem, the event logs are a good starting point.

  • Filter for the time when the issue happened.
  • Identify if the problem is reoccurring and if it can be reproduced.
  • Verify how many users/sites are affected and if there are patterns to the issue (a particular time, user, or group is affected).

Some guides to more specific troubleshooting are linked at the bottom of this article.

 

  1. Event Logs.

These can be found under Logging -> Log Access -> Logs. FortiAuthenticator writes these event logs for most routine actions, such as user/admin authentication, remote user sync rules running, or scheduled backups. These are also the logs sent to syslog/FortiAnalyzer if remote logging is enabled.

 

These logs can provide some error details if any particular issues are encountered; the logs are sorted by timestamp by default, and starting in firmware 6.5 only the last 24h are displayed by default, this can be changed by clicking on the filter icon.

The log overview also allows for basic filtering by supplying a search-string, the FortiAuthenticator will display logs that contain that string in any log field but does not allow for filtering on any particular log field.

 

Selecting a log message brings up a pane with the log details.

Raw logs can be downloaded by selecting 'Downloads' and selecting 'Raw Log'.

 

image.png

 

Suggested Use:

  • Any issues.
  • Filter on relevant search-string.
  • Ensure the correct time period is set.
  • Download raw logs to search with an editor (like Notepad++).

 

  1. Monitor section.

    The Monitor section is similar in function to FortiView in FortiGates; it provides a current overview of some aspects of FortiAuthenticator.

    The Monitor section is split into two subsections, 'SSO' and 'Authentication'.

    'SSO' covers any FSSO-related displays, such as currently logged-in FSSO users, connected DC Agents, Windows Event Log polling status, and FortiGates that query the Authenticator via FSSO.

     


    'Authentication' covers an assortment of authentication-related displays, such as current SAML IdP sessions, RADIUS Accounting sessions, and Windows AD domain join status.

    image.png

    Suggested Use:

    FSSO, SAML, Domain-related issues.

    Check the SSO section for FSSO-related issues.

    Delete the SAML IdP cookie under Monitor -> Authentication -> SAML IdP Sessions to trigger re-authentication for SAML users.

    Check Monitor -> Authentication -> Windows AD for domain join status.

     

     

  2. Debug logs.

    Many FortiAuthenticator services write debug logs (with various depths) by default.

    These logs can be accessed by navigating to a specific URL: https://<FortiAuthenticator>/debug.

    Accessing the URL defaults to displaying the RADIUS Authentication log, and navigation to other debugs is available either via a menu on the left side (6.5/6.6) or a drop-down menu in the upper left corner (6.4 and lower).

    Each debug log can also be accessed individually via a more specific URL, an overview of those may be found here: Troubleshooting Tip: How to debug FortiAuthenticator Services.

    These debug logs can provide additional insight into errors, but may not be easily readable.

    The search field allows for entering basic strings, and FortiAuthenticator will only display any lines in the debug log that contain one or more mentions of the string. This is NOT case-sensitive.

    The debug logs can be downloaded; the download button is only available while the log is NOT filtered.

    There is a setting for log file size; this setting applies to ALL debug logs, so increasing it means that all debug logs are increased to that size. Under some circumstances, this may lead to debug reports generating more slowly.

    Note:

    Timestamps may be either expressed in the local FortiAuthenticator time OR UTC; this varies depending on the log and firmware version.

     

     

    1. RADIUS Authentication log.

      This captures ANY non-FSSO related authentication, including admin logins, portal, SAML, etc, as FortiAuthenticator treats those authentication attempts as RADIUS requests from one of its services to its RADIUS service.

      Debugging may need to be enabled, as by default, starting in firmware 6.5 RADIUS service no longer writes extensive debug logs.

       

    2. FSSO Agent log.

      This is the equivalent of a Collector Agent log on a standalone Collector Agent.

      Debug level may be set in the FSSO General settings in FortiAuthenticator GUI; under SSO Methods -> Fortinet SSO -> General, or in firmware 6.6, under Fortinet SSO -> Methods -> Log Config. Changing the debug level restarts the FSSO service.

       

    3. Web Service -> Apache, and Others -> GUI.

      Both of these debug logs deal with Web Service/GUI, including admin GUI, any portal, and SAML. Details on SAML authentication and Internal Server Errors are usually visible here.

      image.png

       

      Suggested Use:

      Any issues.

      Check the RADIUS Authentication log for any non-FSSO authentication.

      Check FSSO logs for any FSSO-related issues.

      Check GUI and Apache logs for any GUI/Web Service/Portal issues.

      Download the logs and share them with Technical Support.

       

       

  3. CLI commands.

    FortiAuthenticator does have a CLI, but it only provides very limited configuration and debug capabilities.

    The following can be configured:

    Interfaces, static routes, DNS.

    HA (this is NOT recommended to configure via CLI).

    global settings (timezone, hostname, allowed hosts).

    'show full' will dump the CLI-available configuration in full.


    For troubleshooting, the following commands are usually most useful:

    get system status <- general overview of system and HA.

    execute ping/traceroute <IP|FQDN> <- ping/traceroute to destination.

    execute nslookup <FQDN> <- looks up IP.

    dia netlink route <- dumps the routing table.

    dia netlink arp list|flush <- dumps/flushes the ARP table.

    dia web restart <- restarts Web Services, impacts admin logins, SAML, any portals.

    dia auth restart <- restarts RADIUS service, makes ANY authentication unavailable for the duration of restart (usually 1-2 minutes).

    dia sys wad debug crash read <- dumps a WAD daemon crash log, available from 6.5.

    debug radius <0|1|2> <- Set RADIUS debug to 0 (disable), 1 (enable), 2 (detailed debugging), same function as the button in RADIUS debug logs.

    image.png

    Suggested Use:

    Network/connectivity issues.

    General (very basic) overview.

     

     

  4. Packet capture.

     

FortiAuthenticator allows for taking packet captures in two places: GUI, and CLI.

GUI packet capture is available under System -> Network -> Packet Capture; it does not allow for any filtering except which interface, and is limited to 4000 packets.

 

CLI packet capture is similar to FortiGate's 'diagnose sniffer' command:


execute tcpdump -i <interface> -c <count> <other tcpdump parameters, like -n or -v> <filter>

execute tcpdumpfile -i <interface> -c <count> <other tcpdump parameters, like -n or -v> <filter>

 

The output of 'execute tcpdump' shows in the CLI window; the output of 'execute tcpdumpfile' is written to a pcap which may then be downloaded from https://<FortiAuthenticator>/debug/pcap-dump.

 

An in-depth guide on packet captures is available here: Technical Tip: How to run a Packet Capture with FortiAuthenticator.

 

image.png

 

Suggested Use:

Network/connection issues.

Packet analysis in Wireshark.

 

Related articles, further reading:

FortiAuthenticator Documentation

That link directs to the official FortiAuthenticator documentation, including Administration Guides and Release Notes.

 

Troubleshooting Tip: How to work with FortiAuthenticator Technical Support

That article outlines what information to collect from FortiAuthenticator when opening a support case. Any troubleshooting done as outlined in this KB article should be included when submitting a case.

 

Technical Tip: How FSSO works and how to troubleshoot FSSO

That article goes into detail about how FSSO works and where to focus on troubleshooting.

 

Technical Tip: Best practices on hardening FortiAuthenticator environments

That article provides some best practices for FortiAuthenticator.

 

Technical Tip: How to configure FortiAuthenticator load-balancing cluster

That article provides details on how to configure and troubleshoot FortiAuthenticator load-balancing clusters.

871
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.