FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
adimailig
Staff
Staff
Article Id 275562

 

Description

This article describes how to configure Multiple FSSO Agent to Connect to Multiple FSSO CA Server Monitoring same Domain/Groups.

 

1.PNG
On this deployment, there are Domain Controller Servers which both have FSSO Collector Agent installed. AD servers synchronize domains and AD groups/users.
The user goal is to configure multiple FSSO agents and monitor logon events on each FSSO CA.
First FSSO Agent (FSSO_DC1) is configured with 'User group source' as Collector Agent and is able to poll 37 user groups from FSSO CA.

2.PNG

 

The second FSSO Agent (FSSO_DC2) is also configured with 'User group source' as Collector Agent and is on connected status. However, there are no users/Groups monitored for the second FSSO Agent.

3.PNG

 

Summary of FSSO Agent Status:

4.PNG

Scope FortiGate, FSSO.
Solution

Running the debug application on the AUTHD process shows the below logs and error:


diag debug application authd -1
diag debug enable


Select 'Apply' and Refresh to initiate the update:

5.PNG

<>
_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/PRINT OPERATORS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/CERT PUBLISHERS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/RAS AND IAS SERVERS exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/ALLOWED RODC PASSWORD REPLICATION GROUP exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/DENIED RODC PASSWORD REPLICATION GROUP exists (vd=root)

_process_ad_info[FSSO_DC2]: group TEST-DOMAIN/DNSADMINS exists (vd=root)

_process_ad_info[FSSO_DC2]: updated user.adgrp with 0 entries
<>



This means that the Group that FSSO CA received already existed on the FortiGate configuration.
Further checking on the FortiGate configuration to confirm that Groups are already referenced to FSSO_DC1.

Thus, it is not possible to reference it to FSSO_DC2.


show user adgrp
<>
edit "TEST-DOMAIN/CERT PUBLISHERS"

        set server-name "FSSO_DC1"

    next

    edit "TEST-DOMAIN/RAS AND IAS SERVERS"

        set server-name "FSSO_DC1"

    next

    edit "TEST-DOMAIN/ALLOWED RODC PASSWORD REPLICATION GROUP"

        set server-name "FSSO_DC1"

    next

    edit "TEST-DOMAIN/DENIED RODC PASSWORD REPLICATION GROUP"

        set server-name "FSSO_DC1"

    next

    edit "TEST-DOMAIN/DNSADMINS"

        set server-name "FSSO_DC1"

    next
<>



To resolve the issue and to achieve the goal of the customer, it is necessary to configure a second FSSO Agent to use Local as 'User group source'.

This requires configuring the LDAP Server. Refer to the below guide to configure the LDAP Server:
Configuring an LDAP server 


Edit the second FSSO Agent then change 'User group source' to Local.
Select the LDAP Server where to get the User/User Group, then select 'Edit'. This will be forwarded to LDAP Tree View to select groups or users to monitor the logon events.

6.PNG

7.PNG

 

'Right-click' to User or Groups to monitor, then select 'Add Selected'.
It is possible to check all selected users and groups under the 'Selected' tab.

 

8.PNG11.png

 

It is now possible to see that there are 2 Users/Groups that are currently monitored by FSSO CA:

9.PNG

10.PNG
Contributors