Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dgough
Staff
Staff

Created on ‎09-24-2024 08:42 PM Edited on ‎08-06-2025 06:04 AM By Moderator

Article Id 343864

Technical Tip: How FSSO detects logged-off users

Description This article describes how FSSO detects logged-off users.
Scope FortiGate.
Solution

User removal from FSSO is managed through a workstation check and a dead entry timer. In other words, it will not read Windows Logoff Events.

 

Agent.JPG


The Collector Agent (CA) runs the workstation check in batches and the time interval between the end of one batch and the initialization of another one is specified in the Workstation verify interval field (default is 5).

 

By default, the CA utilizes WMI to retrieve the username of the currently logged-in user. If the communication is completed successfully and the username matches with the CA’s database, the entry is retained.

 

If the username is different or no user is logged in, the FSSO entry is removed from the CA and consequently from the FortiGate.

 

If the workstation check fails (due to being disabled, the PC being off or offline, or potential WMI permission issues), the dead entry timer begins.

 

The user’s FSSO session will be cleared once the timer reaches zero (default is 8 hours). The timer resets with each successful workstation check or when the same user logs on again from the same PC/IP.

 

In order to diagnose and verify whether FortiGate receives the Logon and Logoff events from the CA, run the following commands:

 

diag de application authd -1

diag de enable

 

Example:

 

user name: TESTUSER


[authd_fsae_send_group_info:288]: called
authd_epoll_work: timeout 9960
[_process_logon:1072]: TESTUSER (10.229.0.2, 0) logged on from FSSO-DC. <----- Logon entry.
[_process_logon:1115]: TESTUSER (10.229.0.2, 0) from FSSO-DC exists.
authd_epoll_work: timeout 9940
[authd_admin_read:1044]: called
authd_epoll_work: timeout 9940
fsae_io_ctx_process_msg[FSSO-DC]: received heartbeat 100002

 

When the user logoff event is detected, the FortiGate will receive the entry below from the Collector Agent:

 

fsae_io_ctx_process_msg[FSSO-DC]: received heartbeat 100276
authd_epoll_work: timeout 17470
[_process_logoff:1169]: TESTUSER (10.229.0.2, 0) logged off from FSSO-DC. -->Logoff entry
[fsae_db_logoff:246]: vfid 0, ip 10.229.0.2, id(0), port_range_sz(0)
[authd_fp_notify_logoff:445]: vfid 0, ip 10.229.0.2, id 0
[authd_fp_on_user_logoff:413]: vfid 0, ip 10.229.0.2
authd_epoll_work: timeout 11270

 

Related articles:
Labels:
1619
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.