Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎03-05-2024 09:48 PM

Article Id 303013

Technical Tip: FSSO polling agentless behavior to pull the IP address of the machine where user authenticates

Description This article describes the behavior of FSSO polling agentless to get the IP address of the machine where the user authenticates.
Scope FortiGate.
Solution

To show the behavior, a wrong IP address has been set for the hostname machine1.fortinetmnl.com to see if polling mode agentless FSSO authentication is also dependent on resolving the hostname of the machine to know the source IP of the one sending authentication.

dns server for fsso polling.png

 

ping machine1 for fsso polling.png

 

The real IP address of the test machine where I authenticated username 'avaldez'.

 

ipconfig for fsso polling.png

 

The DNS record for machine1.fortinetmnl.com is 10.115.1.251. But the real IP of the machine is 10.115.4.252.

Authentication 'avaldez' has been triggered in machine 10.115.4.252 hostname machine1.fortinetmnl.com and is resolvable to IP address 10.115.4.251. Here is the FSSO polling agentless output for that authentication.

fsso live user fsso polling.png

 

kvm34 # diag firewall auth list
10.115.4.252, avaldez
type: fsso, id: 0, duration: 161, idled: 46
server: Local FSSO Agent
packets: in 48 out 38, bytes: in 51661 out 6304
----- 1 listed, 0 filtered ------

 

024-03-04 21:28:20 [fsso_ldap_session_state:82] ldap session state transit from init->user
for user avaldez.
2024-03-04 21:28:20 [fsso_ldap_group_add:327] logon: 10.115.4.252,
avaldez/FORTINETMNL.COM, , add group CN=Allan
Valdez,CN=Users,DC=fortinetmnl,DC=com
2024-03-04 21:28:20 [primary_id_lookup:460] primary_id_lookup: user_id: CN=Allan
Valdez,CN=Users,DC=fortinetmnl,DC=com
2024-03-04 21:28:20 [fsso_ldap_session_state:82] ldap session state transit from user-
>primary-group-id for user avaldez.
2024-03-04 21:28:20 [event_add_logon_info:364] eid=4769, logon=[], ipaddr=[],
station=[MACHINE1], domain=[], clt_workstation=, port=0, tm=1709616491
2024-03-04 21:28:20 [primary_group_lookup:433] lookup primary group for:
logon(10.115.4.252, avaldez) base:DC=fortinetmnl,DC=com
filter:(&(objectclass=group)(objectSid
=\01\05\00\00\00\00\00\05\15\00\00\00\03\d7\3b\ff\c2\ee\d4\69\a7\29\57\02\01\02\00\0
0))
2024-03-04 21:28:20 [fsso_ldap_session_state:82] ldap session state transit from primarygroup-id->primary_group for user avaldez.
2024-03-04 21:28:20 [fsso_ldap_group_add:327] logon: 10.115.4.252,
avaldez/FORTINETMNL.COM, , add group CN=Domain
Users,CN=Users,DC=fortinetmnl,DC=com
2024-03-04 21:28:20 [memberof_lookup:568] look up memberof for logon(10.115.4.252,
avaldez),base: DC=fortinetmnl,DC=com, filter: (&(objectclass=group)(|(member:=CN=All
an Valdez,CN=Users,DC=fortinetmnl,DC=com)(member:=CN=Domain
Users,CN=Users,DC=fortinetmnl,DC=com)))
2024-03-04 21:28:20 [fsso_ldap_session_state:82] ldap session state transit from
primary_group->memberOf for user avaldez.
2024-03-04 21:28:20 [event_add_logon_info:364] eid=4768, logon=[avaldez],
ipaddr=[10.115.4.252], station=[], domain=[FORTINETMNL], clt_workstation=MACHINE1,

 

Result:

FSSO Polling Agentless is not dependent on the DNS record of the machine to get the IP address where the user authenticates. 

 

Other Reference about FSSO Agentless Polling:

Troubleshooting Tip: How to troubleshoot FSSO agentless polling mode issue
210
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.