Description
This article gives a useful troubleshooting command to dump the WAD proxy authenticated group.
Scope
FortiGate.
Solution
This could be used for debugging purposes to check if a particular group has been successfully authenticated by WAD.
WAD is made of multiple WAD worker processes, one wanopt process (which is also a worker), one informer process, one manager process, and one dispatcher process.
The list of these processes needs to be checked first with the command:
diagnose debug enable
diagnose test application wad 1000
Process [0]: WAD manager type=manager(0) pid=163 diagnosis=yes.
Process [1]: type=dispatcher(1) index=0 pid=181 state=running
diagnosis=no debug=enable valgrind=unsupported/disabled
Process [2]: type=wanopt(2) index=0 pid=182 state=running
diagnosis=no debug=enable valgrind=supported/disabled
Process [3]: type=worker(3) index=0 pid=183 state=running
diagnosis=no debug=enable valgrind=supported/disabled
Process [4]: type=worker(3) index=1 pid=185 state=running
diagnosis=no debug=enable valgrind=supported/disabled
Process [5]: type=worker(3) index=2 pid=186 state=running
diagnosis=no debug=enable valgrind=supported/disabled
Process [6]: type=informer(4) index=0 pid=166 state=running
diagnosis=no debug=enable valgrind=unsupported/disabled
Note: The number of WAD processes depends on the number of proxy features enabled and in use. FortiOS can initiate different kinds of WAD processes; the list above is just an example; it can be much bigger in some environments.
With the list and the number of WAD workers (wanopt in this case), it is possible to check each for the authenticated user and the group:
diagnose test application wad 2300 <----- Enter into a worker context.
set diagnosis process: type=worker index=0 pid=183
Note: To enter into a worker context, use number '2' followed by '3' (type=worker(3)), the first '0' is the index ID, and the last '0' is to complete the command:
diagnose test application wad 110 <----- Check the information of this worker.
users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec
diagnose test application wad 2301
set diagnosis process: type=worker index=1 pid=185
diagnose test application wad 110
users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec
diagnose test application wad 2302
set diagnosis process: type=worker index=2 pid=186
diagnose test application wad 110
users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec
diagnose test application wad 2200
set diagnosis process: type=wanopt index=0 pid=182
diagnose test application wad 110
users:
user:fred@LAB_TEST.LOCAL@10.0.11.177(0x3599f030), type:SES, vf:0, ref:105, ntlm:0, has_fsae:0, guest:0
user:1(0x315ad030), ip:1(0x359e512c), scheme=3, auth=yes, tfa=no, timeout:alive, id:3
out_ip=0.0.0.0 out_ipv6=:: ftp_out_ip=0.0.0.0
concurrent user limit: 65536 lifetime=1378s, creation time:Fri Sep 6 16:46:52 2019
membership_type=1 number=2 srv/is_ldap=testfred/1:
[member 1 len=44]: cn=domain users,cn=users,dc=lab_test,dc=local
[member 2 len=40]: cn=internet,cn=users,dc=lab_test,dc=local
Here, user fred’s session has been assigned to wanopt process. The wanopt process is also used as a normal worker process.
It is also possible to see the user fred, who has been authenticated, and for which groups 'domain users' and 'internet' have been retrieved from LDAP.
