Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎12-25-2022 10:42 PM Edited on ‎02-12-2025 10:12 PM By Community Manager

Article Id 240817

Technical Tip: FSSO users is not matching the policy and traffic is getting blocked when 'Collector Agent' is selected as user group source in FSSO setting

Description

This article describes that FSSO user traffic is blocked when 'Collector Agent' is enabled as a user group source in the FSSO setting.

One of the possible reasons is that the fetched FSSO groups on FortiGate have been enabled directly on the firewall policy.
Scope FortiGate.
Solution

Avoid enabling the fetched FSSO group directly onthe  firewall policy, therefore the solution is to create a user group and enable the desired fetched FSSO group in the user group and then enable this user group on the firewall policy

 

Configure the FSSO agent on FortiGate:

 

FGT # show user fsso
config user fsso
    edit "fsso-agent"
        set server "10.108.4.69"
        set password ENC +ZLQ/az3+j6aqqwWOt62JCCQr56ZfqoqRffcQYcqguGfvaCUKbbObudyBgI2g0oUHyiKOOXP4EYcZlu/aDf4G3RnYXtpOWGzLy6XithmKgcS0Oe/0EaFPm1Hz4Pj2Cypa9TRgXuHzKiS4StePJbj/jRite1lxbWvXHiC9GHMXHlAinNecy/LLn6RTaHF+9QZ/WHyfQ==
    next
end

 

The following groups were fetched from the domain controller:

 

FGT # show user adgrp
config user adgrp
    edit "CN=TESTGROUP,OU=FORTIGATE,DC=FORTISERVICE,DC=COM"
        set server-name "fsso-agent"
    next
    edit "CN=FSSO.POLLING,DC=FORTISERVICE,DC=COM"
        set server-name "fsso-agent"
    next
    edit "CN=FSSO.GROUP,DC=FORTISERVICE,DC=COM"
        set server-name "fsso-agent"
    next
    edit "CN=LDAP.GROUP,DC=FORTISERVICE,DC=COM"
        set server-name "fsso-agent"
    next
    edit "CN=RADIUS.GROUP,DC=FORTISERVICE,DC=COM"
        set server-name "fsso-agent"
    next
end


Create a user group and enable any of the FSSO groups that the user is a member of. In this example,  FSSO.GROUP is enabled since the user 'sarah' is member of this FSSO group.

 

FGT # show user group FSSO-users
config user group
    edit "FSSO-users"
        set group-type fsso-service
        set member "CN=FSSO.GROUP,DC=FORTISERVICE,DC=COM"
    next
end

 

FGT # di test authserver ldap ldap sarah forti40#$%
authenticate 'sarah' against 'ldap' succeeded!
Group membership(s) - CN=fsso.group,DC=fortiservice,DC=com  <-----


Enable the newly created user group on the firewall policy:

 

FGT # show firewall policy
config firewall policy
    edit 1
        set name "INTERNET"
        set srcintf "internal1"
        set dstintf "virtual-wan-link"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "FSSO-users" <-----
        set nat enable
    next
end


Result:

The traffic is hitting policy ID 1 as expected:

 

FGT # 2022-12-25 01:18:51 id=20085 trace_id=14 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.108.3.113:1->4.2.2.2:2048) from internal1. type=8, code=0, id=1, seq=31."
2022-12-25 01:18:51 id=20085 trace_id=14 func=init_ip_session_common line=5995 msg="allocate a new session-00023024"
2022-12-25 01:18:51 id=20085 trace_id=14 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.109.251.254 via ppp1"
2022-12-25 01:18:51 id=20085 trace_id=14 func=fw_forward_handler line=811 msg="Allowed by Policy-1: SNAT" <<<----
2022-12-25 01:18:51 id=20085 trace_id=14 func=__ip_session_run_tuple line=3519 msg="SNAT 10.108.3.113->10.109.251.57:60417"
2022-12-25 01:18:51 id=20085 trace_id=14 func=ipd_post_route_handler line=490 msg="out ppp1 vwl_zone_id 1, state2 0x1, quality 0."
2022-12-25 01:18:52 id=20085 trace_id=15 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 4.2.2.2:60417->10.109.251.57:0) from ppp1. type=0, code=0, id=60417, seq=31."
2022-12-25 01:18:52 id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-00023024, reply direction"


In session entry, the traffic is for FSSO user 'sarah' and policy ID that matches the traffic is 1:

 

FGT # di sys session list
session info: proto=1 proto_state=00 duration=8 expire=54 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=SARAH auth_server=fsso-agent state=log may_dirty authed f00 acct-ext <<<----
statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2
tx speed(Bps/kbps): 28/0 rx speed(Bps/kbps): 28/0
orgin->sink: org pre->post, reply pre->post dev=11->31/31->11 gwy=10.109.251.254/10.108.3.113
hook=post dir=org act=snat 10.108.3.113:1->4.2.2.2:8(10.109.251.57:60417)
hook=pre dir=reply act=dnat 4.2.2.2:60417->10.109.251.57:0(10.108.3.113:1)
misc=0 policy_id=1 auth_info=33554437 chk_client_info=0 vd=0 <<<---
serial=00023024 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=80000000 rpdb_svc_id=0 ngfwid=n/a
total session 1

 

Related articles:
Technical Tip: How FSSO works and how to troubleshoot FSSO

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
4812
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.