Description

This article provides an overview of various FSSO debug commands used for troubleshooting FSSO-related issues.

Scope

FortiGate.

Solution

Useful FSSO Commands, live debugging the authd process for FSSO:

The authd daemon manages FSSO functionality on the FortiGate. This process handles a large number of authentication-related tasks, and so running wide debugs (i.e., the -1 option for diagnose debug application authd) will result in an enormous amount of non-FSSO-related debug output. The following commands should be used to actively monitor communication between the Collector Agent and the FortiGate, such as when user login information is being actively synced:

diagnose debug application authd 8256 <--- 8256 specifically enables FSSO-related debug messages for display.

diagnose debug console timestamp enable <--- Enable timestamps on each debug line entry.

diagnose debug enable

The above commands produce authd debug messages specifically related to FSSO, such as user login events and heartbeats sent to the Fortinet Collector Agent. The following is an example of expected output taken at the same time that a user logs into a domain-joined Windows workstation:

FortiGate # diagnose debug application authd 8256
Debug messages will be on for 30 minutes.

FortiGate # diagnose debug console timestamp enable

FortiGate # diagnose debug enable

2025-11-18 10:43:34 fsae_io_ctx_process_msg[FSSO_dc01.example.local]: received heartbeat 101609
2025-11-18 10:43:40 [_process_logon:1079]: JDOE (10.15.69.101, 0) logged on from FSSO_dc01.example.local.
2025-11-18 10:43:40 [_process_logon:1122]: JDOE (10.15.69.101, 0) from FSSO_dc01.example.local exists.
2025-11-18 10:43:44 fsae_io_ctx_process_msg[FSSO_dc01.example.local]: received heartbeat 101640

Checking/refreshing existing FSSO logins:

The diagnose debug authd fsso family of commands can be used to query FSSO on the FortiGate, including checking the list of FSSO users present on the FortiGate, refreshing group/logon mappings, and checking the connectivity to the FSSO agents (e.g., Collector Agents as well as Domain Controllers being polled by the FortiGate):

FortiGate # diagnose debug authd fsso ?

clear-logons      Clear logon information.
filter            Filters used for list or clear logons.
list              List current logons.
refresh-groups    Refresh group mappings.
refresh-logons    Resync logon database.
server-status     Show FSSO agent connection status.

show-address      Show FSAE dynamic addresses.

summary           Summary of current logons.

For the list/clear commands specifically (diagnose debug authd fsso list, and clear-logins), use the diagnose debug authd fsso filter family of commands to narrow down a specific set of users that should be displayed:

FortiGate # diagnose debug authd fsso filter ?

clear     Clear all filters
group     Group name.
server    FSSO agent name.
source    Source IP address.
user      User name

As an example of the list command executed before and after filtering has been applied (output has been shortened for visual purposes):

FortiGate # diagnose debug authd fsso list

----FSSO logons----
IP: 10.15.69.5 User: TUSER Groups: CN=TEST USER,OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL+[...output truncated...] Workstation: DC01 MemberOf: CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL CN=DOMAIN ADMINS,CN=USERS,DC=EXAMPLE,DC=LOCAL CN=VPN_USERS,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL [...output truncated...]

IP: 10.15.69.101 User: JDOE Groups: CN=JOHN DOE,OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL+[...output truncated...] Workstation: WIN11-01 MemberOf: CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL CN=VPN_USERS2,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL CN=USERS,CN=BUILTIN,DC=EXAMPLE,DC=LOCAL
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

FortiGate #

FortiGate # diagnose debug authd fsso filter user JDOE

FortiGate # diagnose debug authd fsso list
----FSSO logons----
IP: 10.15.69.101 User: JDOE Groups: CN=JOHN DOE,OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+OU=EXAMPLE USERS,DC=EXAMPLE,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL+[...output truncated...] Workstation: WIN11-01 MemberOf: CN=DOMAIN USERS,CN=USERS,DC=EXAMPLE,DC=LOCAL CN=VPN_USERS2,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL CN=USERS,CN=BUILTIN,DC=EXAMPLE,DC=LOCAL
Total number of logons listed: 1, filtered: 1
----end of FSSO logons----

Checking the status of FortiGate/FSSO Agent connectivity:

To check the connectivity status between the FortiGate and FSSO agents, run the following command: diagnose debug authd fsso server-status, taking note of the following:

• This command requires running diagnose debug enable first; otherwise, no output is produced.
• This command shows connectivity from the FortiGate to the FSSO Collector Agent (aka 'FSSO Agent on Windows AD' External Connectors) as well as the FortiGate's own polling-mode FSSO (Local FSSO Agent, aka 'Active Directory Connector').
• In older versions of FortiOS, the command may only print the connection status of the active/primary FSSO agent.

FortiGate # diagnose debug enable

FortiGate # diagnose debug authd fsso server-status

Server Name                Connection Status    Version             Address
-----------                -----------------    -------             -------
FSSO_dc01.example.local    connected            FSSO 5.0.0323       10.15.69.5
Inactive_FSSO_CA           waiting for retry                        123.4.5.6
Local FSSO Agent           connected            FSAE server 1.1     127.0.0.1

Summary of remaining FSSO commands:

Refresh/update the list of FSSO groups present on the FortiGate (pulled from LDAP or the Collector Agent):

execute fsso refresh

Refresh FSSO group mappings for existing user entries on the FortiGate:

diagnose debug authd fsso refresh-groups

Request the Collector Agent to refresh the list of active user logons on the FortiGate:

diagnose debug authd fsso refresh-logons

Clear list of user logon entries on the FortiGate (does not clear entries on the Collector Agent, so entries may be re-synced soon after clearing):

diagnose debug authd fsso clear-logons

List the Firewall User table on the FortiGate, which receives authenticated user entries from multiple sources (including FSSO). The users present in this table (and the associated IP address and group memberships) are used to determine which Firewall Policies a user will be allowed to match. For more information on the Firewall User table, refer to the following KB article: Troubleshooting Tip: How to list, monitor, or de-authenticate users authenticated on a FortiGate.

diagnose firewall auth list

List the FSSO dynamic-address objects (see Related Documents below for more information):

diagnose debug authd fsso show-address

List the FSSO groups obtained from Active Directory:

get user adgrp

Example:

FortiGate # get user adgrp
== [ CN=VPN_USERS2,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL ]
name: CN=VPN_USERS2,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL server-name: FSSO_dc01.example.local id: 33554433
== [ CN=SAML_USERS,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL ]
name: CN=SAML_USERS,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL server-name: FSSO_dc01.example.local id: 33554434
== [ CN=VPN_USERS,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL ]
name: CN=VPN_USERS,OU=EXAMPLE GROUPS,DC=EXAMPLE,DC=LOCAL server-name: FSSO_dc01.example.local id: 33554435
[...]

Related articles:

Technical Tip: FSSO dynamic address type

Troubleshooting Tip: How to list, monitor, or de-authenticate users authenticated on a FortiGate