FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff
Article Id 204758
Description This article describes how to troubleshoot missing log on events in DC agent mode.
Scope FortiGate FOS.
Solution

Before diving into the concept let us understand what is the flow of FSSO log on event information in fortigate firewall.

Here are the actual process will happen in FSSO DC agent mode:

 

1) User will login to domain machine.

 

2) Check concerned user event log in windows logs (This is to confirm whether user logged in windows AD or not).

 

3) As soon as the user logged into AD, user will be shown in user list of CA and then user list will be sent to firewall.

 

Now lets go to troubleshooting the missing logins.

So if user login is missing we should follow below steps:

 

- Check in fortigate firewall users and devices there are  some logs on event missing.

- Then focus on collector agent log on list:

 

If some log on events are missing, there is no communication issue between FortiGate and collector agent.

If there is a communication issue there will not be any log on events in the firewall.

 

Note down user name of the missing user, check if that user name is present in active directory event logs (This is to confirm if the user name is present in correct AD server).

If the user name is present download the DC agent logs from the DC agent.

 

Search for the specific username in the DC agent logs it will be possible to understand the reason for failure of the error:

 

A successful log on event looks like below:

 

02/01/2022 14:31:43.491: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug

Domain:Firewallgeeks DNS suffix added:firewall.geeks.

02/01/2022 14:31:43.491: finish processing.

workstation IP:10.21.2.3
Msv1_0SubAuthenticationFilter is called

 

In the aboce event log on event is done for the "seshu ganesh" user from 'seshug' machine name.

 

DNS suffix is added for specific domain 'firewallgeeks'.

DNS resolution is succesfully done for the machine name "seshug" and its workstation IP is 10.21.2.3

 

Event will be forwarded to collector agent and shown in login user list

 

Here are sample errors:

 

First:

 

02/01/2022 14:32:28.632: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh from seshug

user:seshu.ganesh in ignore list

 

This error meant to say this concerned user is present in ignore list. It is necessary to remove this user from ignore list.

Then it is possible to retry.

 

Second:

 

02/01/2022 14:33:25.850: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh () from seshug

machine account:seshug$ is ignored.

02/01/2022 14:33:25.850: finish processing.
Msv1_0SubAuthenticationFilter is called

 

The above log saying 'machine account is ignored' it is normal log, by default machine accounts will be ignored.

 

Third:

 

02/03/2022 10:20:10.081: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug

Domain:Firewallgeeks DNS suffix added:firewall.geeks

02/03/2022 10:20:10.081: finish processing.
getaddrinfo() failed[seshug], error:11001
getaddrinfo() failed[seshug], error:11001
Msv1_0SubAuthenticationFilter is called

 

This error will mostly related to DNS issue.

If the collector agent or DC agent not able to resolve workstation name to IP address.

Make sure DNS entries for this work station is correct in the AD server.

 

In the similar way by going through DC and CA logs at the time of issue with correct time stamp it is possible to get more details.