FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the reason for the error 2221 in the FSSO collector agent logs.
Scope
FSSO CA.
Solution
In FSSO CA logs the error 2221 is displayed if the collector agent does not have enough permissions to get the user group information from the domain controller.
10/20/2024 14:13:00 [ 3407] ad_user_get_groups error: TOPDOMAIN(\\ABC-DC02.city.ott.on.ca)/HealthMailbox4eaabed6391342759445d47420725dac 2221 10/20/2024 14:13:00 [ 3407] ad_user_get_localgroups error TOPDOMAIN(\\ABC-DC02.city.ott.on.ca)/HealthMailbox4eaabed6391342759445d47420725dac: 2221 10/20/2024 14:13:00 [ 3407] cannot get group info for TOPDOMAIN/HealthMailbox4eaabed6391342759445d47420725dac 10/20/2024 14:13:00 [ 3407] ad_user_get_groups_str():<NONE>
This may happen due to multiple reasons:
If the standard mode is used for the nested group users. Change the FSSO operation mode to advanced as nested groups are not supported in the standard mode.
Make sure FSSO CA is configured with domain admin account credentials with sufficient permission to read security event logs.
If the user is a service account, for example, the health mailbox is also a service account that does not belong to any group. Add the service account to the ignore user list.
To troubleshoot FSSO CA on a Windows server, run the following debug command using the Firewall CLI.
