Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nivedha
Staff
Staff

Created on ‎11-13-2023 09:52 PM Edited on ‎08-17-2025 08:23 AM By Moderator

Article Id 284137

Technical Tip: How to check users logged in using FSSO on FortiGate

Description This article describes how to check the users logged in using FSSO.
Scope FortiGate.
Solution

Users logged into SSL VPN are considered as firewall users and users logging into a domain-joined machine are FSSO users.

 

To view FSSO users, Navigate to Dashboard -> User and Devices -> Firewall users, and on the right side top, select 'Show all FSSO Logons'.


FSSO.PNG

 

Note:
On the latest FortiOS version 7.0.13+, 'Show all FSSO Logons' should be enabled from the Firewall Users setting.

Firewall_User.PNG Firewall_User_2.PNG


From v7.4.x, User and Devices Dashboard is moved to Asset and Identities on FortiGate. To View FSSO users, navigate and select by going to Dashboard -> Asset and Identities -> Firewall users, and on the right side top, select 'Show all FSSO Logons': Updated Dashboard and FortiView.

 

Screenshot FSSO.png

 

It is even possible to list the FSSO users using the following command in CLI:

 

diagnose debug authd fsso list

 

Knowing the user or IP, the output can be filtered using 'grep', for example:

 

diagnose debug authd fsso list | grep -i user123

 

Alternatively, the output can be made readable by showing all the users the firewall knows, more closely to what the dashboard of Firewall users shows:


diagnose firewall auth list

Fortinet153 # diag firewall auth list

10.10.20.x, ADMIN1
type: fsso, id: 0, duration: 1874, idled: 264
server: FSSO_DC agent
packets: in 95 out 117, bytes: in 8127 out 8981
group_id: 33554439
group_name: CN=Domain Users,CN=Users,DC=startrek,DC=fortinet,DC=lab

10.10.20.x, IT

type: fsso, id: 0, duration: 6, idled: 2

server: Local FSSO Agent

packets: in 11 out 12, bytes: in 6556 out 1098

user_id: 16777222

group_id: 33554436 33554435

group_name: CN=LDAP_Admins_Apple,OU=LABou,DC=startrek,DC=fortinet,DC=lab CN=Labgroup-    

Apple,OU=LABou,DC=startrek,DC=fortinet,DC=lab


Analogous to the previous command, it can be filtered too, using grep.

 

diagnose firewall auth list | grep -i -A 7 user123

 

In this example the username is IT.

 

Fortinet153 # diag firewall auth list | grep -i -A 7 IT
10.10.20.20, IT
type: fsso, id: 0, duration: 18, idled: 1
server: FSSO_DC agent
packets: in 14 out 10, bytes: in 11739 out 868
user_id: 16777222
group_id: 33554438 33554439
group_name: CN=IT,OU=LABou,DC=startrek,DC=fortinet,DC=lab CN=Domain Users,CN=Users,DC=startrek,DC=fortinet,DC=lab

 

Note: The following commands can be used for FSSO troubleshooting.

 

diagnose debug authd fsso refresh-logons 

diagnose debug authd fsso clear-logons

diagnose debug authd fsso refresh-groups

get user adgrp

 

Related article:

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets
Labels:
11764
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.