FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Description
This article gives a useful troubleshooting command to dump WAD proxy authenticated group.

Solution
This could be used for debugging purpose to check if a particular group has been successfully authenticated by WAD.
WAD is made of multiple wad worker process, one wanopt process (which is also a worker), one informer process, one manager process, and one dispatcher process.
The list of these process need to be checked first with the command:
# diag debug enable
# diag test app wad 1000

# diagnose test application wad 1000

Process [0]: WAD manager type=manager(0) pid=163 diagnosis=yes.
Process [1]: type=dispatcher(1) index=0 pid=181 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
Process [2]: type=wanopt(2) index=0 pid=182 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
Process [3]: type=worker(3) index=0 pid=183 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
Process [4]: type=worker(3) index=1 pid=185 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
Process [5]: type=worker(3) index=2 pid=186 state=running
              diagnosis=no debug=enable valgrind=supported/disabled
Process [6]: type=informer(4) index=0 pid=166 state=running
              diagnosis=no debug=enable valgrind=unsupported/disabled
Note: The number of WAD process depends on the hardware.

With the list and the number of WAD worker (+wanopt), it is possible to check in each of them for the authenticated user and their group:
# diagnose test application wad 2300           <----- Enter into a worker context
Set diagnosis process: type=worker index=0 pid=183

# diagnose test application wad 110            <----- Check the informations of this worker

users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec


# diagnose test application wad 2301
Set diagnosis process: type=worker index=1 pid=185

# diagnose test application wad 110
users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec

# diagnose test application wad 2302

Set diagnosis process: type=worker index=2 pid=186

# diagnose test application wad 110
users:
blackout users:
global concurrent user limit: 65536
Total allocated user:0 stale_count:0, in_list=0
Total shared user count:1, shared user quota:8000, form_auth_keepalive=0,active=0
Explicit proxy authentication timeout: 60 sec, timeout precision: 1935 msec

# diagnose test application wad 2200
Set diagnosis process: type=wanopt index=0 pid=182

# diagnose test application wad 110
users:
     user:fred@LAB_TEST.LOCAL@10.0.11.177(0x3599f030), type:SES, vf:0, ref:105, ntlm:0, has_fsae:0, guest:0
     user:1(0x315ad030), ip:1(0x359e512c), scheme=3, auth=yes, tfa=no, timeout:alive, id:3
     out_ip=0.0.0.0 out_ipv6=:: ftp_out_ip=0.0.0.0
     concurrent user limit: 65536 lifetime=1378s, creation time:Fri Sep  6 16:46:52 2019

    membership_type=1 number=2 srv/is_ldap=testfred/1:
    [member 1 len=44]: cn=domain users,cn=users,dc=lab_test,dc=local
    [member 2 len=40]: cn=internet,cn=users,dc=lab_test,dc=local

Here, user fred’s session has been assigned to wad wanopt process. The wanopt process is also used as a normal worker process.

It is also possible to see the user fred who has been authenticated and for which groups “domain users” and “internet” have been retrieved from LDAP.

Contributors