FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff
Article Id 204758
Description This article describes how to troubleshoot missing log-on events in DC agent mode.
Scope FortiGate.
Solution

Before diving into the concept let us understand what is the flow of FSSO log-on event information in FortiGate.

 

Here is the actual process that will happen in FSSO DC agent mode:

  1. The user will log in to the domain machine.
  2. Check the concerned user event log in Windows logs (This is to confirm whether the user logged in Windows AD or not).
  3. As soon as the user logs into AD, the user will be shown in the user list of CA, and then the user list will be sent to firewall.

 

If the user login is missing we should follow the below steps:

  • Check in FortiGate users and devices there are some logs on the event missing.
  • Focus on the collector agent log-on list:
  • If some log-on events are missing, there is no communication issue between FortiGate and the collector agent.
  • If there is a communication issue there will not be any log on events in the firewall.

 

Note down the user name of the missing user, and check if that user name is present in active directory event logs (This is to confirm if the user name is present in the correct AD server).

If the user name is present download the DC agent logs from the DC agent. It's possible to enable the DC agent logs using below:  HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent -> edit -> enable Log. Set the value to 1 from 0

 
The DC-Agent logs are saved by default in the root of the C:\ partition. 
 
Note:
Once the FSSO authentication issue is resolved, disable the DC agent logging by changing the 'enable_log' option to 0

 

Search for the specific username in the DC agent logs it will be possible to understand the reason for the failure of the error:

 

A successful log-on event looks like below:

 

02/01/2022 14:31:43.491: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug

Domain:Firewallgeeks DNS suffix added:firewall.geeks.

02/01/2022 14:31:43.491: finish processing.

workstation IP:10.21.2.3
Msv1_0SubAuthenticationFilter is called

 

In the above event log-on event is done for the "seshu ganesh" user from 'seshug' machine name.

 

DNS suffix is added for specific domain 'firewallgeeks'.

DNS resolution is successfully done for the machine name 'seshug' and its workstation IP is 10.21.2.3

 

The event will be forwarded to the collector agent and shown in login user list

 

Here are sample errors:

 

First:

 

02/01/2022 14:32:28.632: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh from seshug

user:seshu.ganesh in ignore list

 

This error meant to say this concerned user is present in ignore list. It is necessary to remove this user from the ignore list. It is possible to retry.

 

Second:

 

02/01/2022 14:33:25.850: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh () from seshug

machine account:seshug$ is ignored.

02/01/2022 14:33:25.850: finish processing.
Msv1_0SubAuthenticationFilter is called

 

The above log saying 'machine account is ignored' is a normal log, by default machine accounts will be ignored.

 

Third:

 

02/03/2022 10:20:10.081: processing Logon (level=1, logonid=0-0) Firewallgeeks\seshu.ganesh (seshu ganesh) from seshug

Domain:Firewallgeeks DNS suffix added:firewall.geeks

02/03/2022 10:20:10.081: finish processing.
getaddrinfo() failed[seshug], error:11001
getaddrinfo() failed[seshug], error:11001
Msv1_0SubAuthenticationFilter is called

 

This error will mostly be related to the DNS issue.  If the collector agent or DC agent is not able to resolve the workstation name to the IP address. Make sure DNS entries for this workstation is correct in the AD server.

 

In a similar way by going through DC and CA logs at the time of issue with the correct time stamp, it is possible to get more details.