Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff

Created on ‎11-21-2016 05:04 AM Edited on ‎11-26-2025 11:46 PM By Moderator

Article Id 191577

Technical Tip: FSSO Collector agent redundancy with two Windows AD and two Fortinet DC Agents

Description


This article describes the configuration of FSSO collector agent redundancy with multiple (two in this example) LDAP Windows AD and two Fortinet DC Agents.
 
The FortiGate will connect to the available FSSO Agent to retrieve the Logon list and validate authenticated users. Both Windows ADs are configured to authenticate users' logon (Multiple domain controllers).

FSSO Collector Agent and DC Agent are installed on each Windows AD server.

Scope

 

FSSO, FortiGate.


Solution

 

Configuration.
FSSO Collector Agents listen on TCP port 8000 and UDP 8002, ensuring that Windows Firewall is not blocking these ports.
  • FortiGate communicates to FSSO CA via TCP port 8000.
  • DC Agent communicates to FSSO CA via UDP port 8002.
  • DC Agent with SSL enabled communicates to FSSO CA via TCP port 8003.

In this example:
  • 1st Windows AD IP=10.10.10.1.
  • 2nd Windows AD IP=10.10.10.2.

Install the latest FSSO Collector Agent software and DC Agent on both Windows ADs, and follow these four steps:

  1. FSSO Collector Agent software installation.
Select Next and Install. This will then launch the 'DC Agent Install Wizard'.

frottier_FD39911_tn_FD39911-1.jpg
 
frottier_FD39911_tn_FD39911-3.jpg
 
  1. DC Agent software installation.
Accept default values, select Next, then select the Domain to monitor and any Users that are not to be monitored, then leave the default as DC Agent Working Mode, and select Finish.

frottier_FD39911_tn_FD39911-4.jpg

  1. DC Agent Configuration Utility software installation.
Select Next, then list both IPs where the two Collector Agents are installed.

frottier_FD39911_tn_FD39911-5.jpg

Select Next, Install, and Finish.

Both DC Agents are now configured to send logon events to both Collector Agents. This can be checked with the DC Agent Configuration Utility GUI.

frottier_FD39911_tn_FD39911-7.jpg

It can also be checked by looking at the following registry key:

frottier_FD39911_tn_FD39911-8.jpg

Diagram:
FortiGate <---> FSSO CA <---> DC Agents <---> WINDOWS AD.
 
  1. For certain IP addresses to be excluded from polling or DCAgent (no effect for TSAgent), use the following registry key:
 
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
 
Only IP addresses can be added to this list. Adding IP ranges/subnets is not yet supported.
 
Value name: 'dc_agent_ignore_ip_list'.
Value data: semicolon-separated list of IPs to ignore by the Collector Agent.
 
 
In this example of 'dc_agent_ignore_ip_list', the logon events reported to the DCs 10.10.10.1 and 10.10.10.2 will be ignored.
 
 
 
Verification of Configuration and Troubleshooting.
The FortiGate is configured with a list of available FSSO CAs as shown below.
 
npaiva_0-1659099431528.png
 
config user fsso
    edit "DC-1"
        set server "10.10.10.1"
        set password ENC ***
        set server2 "10.10.10.2"
        set password2 ENC ***
    next
end
 
The FortiGate is configured with a list of LDAP Servers as shown below.
 
config user ldap
    edit "WindowsAD-1"
        set server "10.10.10.1"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
    edit "WindowsAD-2"
        set server "10.10.10.2"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
end
 
The FortiGate will connect to the first available FSSO CA to retrieve Logon events. If this FSSO CA fails, it will connect to the next available in the list, and so on.
When the first FSSO CA on the list becomes available, FortiGate will not failover back until the current active FSSO CA disconnects.
 
There is no primary-backup mechanism in the FortiGate-FSSO CA relationship.
Other FSSO collector agents are used as a failover in case the first configured is not available. In the FSSO Collector Agent 'Show Service Status', the FortiGate serial number and IP Address are visible.
 
In the FSSO Collector Agent, 'Show Monitor DC' shows both DC Agent IPs with the last KEEPALIVE packets received from DCs.
 
 
Debugging can be turned on: log level set to debugging, log file size to 100MB (max 1024MB).
Logs are stored in the program directory.

Useful commands to troubleshoot on FortiGate:

List the FSSO logon user on the FortiGate.
 
diagnose debug authd fsso list
 
List authenticated users on the FortiGate.
 
diagnose firewall auth list
 
List connected FSSO CA.
 
diagnose debug reset
diagnose debug enable
diagnose debug authd fsso server-status
 
Debugging the authentication process*.
 
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application authd -1
diagnose debug application fnbamd -1
diagnose debug enable
 
Stop debugging output.
 
diagnose debug reset
diagnose debug disable
 
By default, debugging is enabled for 30 minutes.

NoteOn FortiGate, the output of the command 'diagnose debug authd fsso server-status' will only display the current active FSSO CA.
 

Related articles:

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
Technical Tip: Excluding IP addresses from FSSO logon events
Technical Tip: Configuring Multiple FSSO Agent to Connect to Multiple FSSO CA Server Monitoring same...

Labels:
79446
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.