Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎12-10-2025 04:59 AM Edited on ‎12-14-2025 02:25 PM By Community Manager

Article Id 422445

Technical Tip: Verify the FSSO authentication and policy ID from Session list

Description This article describes how to verify the FSSO authentication and which policy ID it is matching from the Session List.
Scope FortiGate, FSSO.
Solution

After configuring FSSO authentication, when a user logs into their workstation, the administrator can verify that the FSSO user is detected on the FortiGate using the following command:

 

This command displays the list of FSSO-learned users along with their IP addresses, group memberships, and logon time.

 

diagnose debug authd fsso list | grep 10.108.3.14
----FSSO logons----
IP: 10.108.3.14 User: NSE8-USER1 Groups: CN=NSE8GRP,CN=USERS,DC=DXB-NSE8,DC=LAB Workstation: 10.108.3.14 MemberOf: CN=NSE8GRP,CN=USERS,DC=DXB-NSE8,DC=LAB

 

Or:

 

diagnose firewall auth list | grep -i -A 7 10.108.3.14

 

The administrator can use the commands below to confirm which firewall policy the FSSO user is being authenticated on.

 

diagnose system session filter src 10.108.3.14

 

Or:

 

diagnose system session filter dst x.x.x.x <----- Replace x.x.x.x with the destination IP.

 

Follow the command above with:


diagnose system session list

 

session info: proto=6 proto_state=01 duration=10 expire=3589 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=NSE8-USER1 auth_server=fsso_lab state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=408/4/1 reply=858/3/1 tuples=2
tx speed(Bps/kbps): 38/0 rx speed(Bps/kbps): 81/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.0.23.254/0.0.0.0
hook=post dir=org act=snat 10.108.3.14:64381->92.123.159.240:80(10.0.20.123:64381)
hook=pre dir=reply act=dnat 92.123.159.240:80->10.0.20.123:64381(10.108.3.14:64381)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=5 pol_uuid_idx=16428 auth_info=33554482 chk_client_info=0 vd=0
serial=00000f8d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off


config firewall policy
    edit 5
        set name "fsso"
        set uuid ac65f320-a99d-51f0-6d8f-7e8ab4d8d4d4
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set fsso-groups "CN=NSE8GRP,CN=USERS,DC=DXB-NSE8,DC=LAB"
    next
end

 

config user fsso
    edit "fsso_lab"
        set server "10.108.3.15"
        set password ENC Gc8nX
        set ldap-server "lab-ldap"
    next
end

 

Related article:

Technical Tip: How to check users logged in using FSSO on FortiGate
296
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.