Created on
12-25-2022
10:20 PM
Edited on
01-27-2025
08:46 AM
By
HarveyRebelo
This article describes advanced troubleshooting and collects information to deliver to Fortinet TAC for a support ticket.
FortiGate, FSSO.
Solution
Flow Chart. |
1. Preparations. |
2. Getting information from one issued PC. |
3 Validations on Windows AD Server. |
4. Validations on FSSO Collector Agent. |
5. Communication ports needed. |
6. Logon Event ID poller. |
7. DNS issues. |
8. FortiGate authentication debug. |
Flow Chart.
Use this flow chart as a troubleshooting guide, HTML file with high resolution is attached at the end of this article, it can be opened in a new browser tab for a better experience.
Some charts have a specific number (1) described in this article or reference to other Fortinet Community Link (A).
On FSSO-CA, set the log level to Debug, increase the file size to 50 MB, and log on events in separate logs.
Note:
The maximum log file size that can be set is 1024 MB.
If FSSO-CA is configured to work in DC Agent mode (see img-06), be sure the log is enabled:
Technical Tip: How to enable logging on DC Agent (FSSO DC Agent mode)
Important Note 1.
FSSO-CA can work in agent or polling mode, to known differences. Read this article:
Technical Tip: Comparison between DC-Agent mode and polling mode
Keep in mind that to change from polling to agent, FSSO-CA will install the DC_Agent.dll in each selected AD server and will be rebooted.
When 'OK' is selected, the FSSO service will be restarted and the FSSO server may change in the FortiGate External Connector.
echo %logonserver% | It provides AD <Server Name> where PC has been authenticated. |
nslookup <ServerName> | Replace <ServerName> for value in previous command to get IP resolution. |
hostname | It provides the PC's hostname. |
echo %username% | It provides a user account. |
ipconfig /all | It provides IP and DNS information. |
whoami /groups | It provides information about user groups. |
The steps to follow are:
PowerShell validation:
Open PowerShell CLI as administrator(elevated prompt) and execute the following command:
Get-Winevent -ComputerName 101.188.67.35 -FilterHashtable @{LogName='Security';ID='4624';StartTime=((Get-Date).AddMinutes(-5))}| Where-Object -Property Message -Match 'user1'
Output of the command:
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
11/28/2024 1:03:09 PM 4624 Information An account was successfully logged on....
Important Note 2.
If the AD Server does not register the new logon events, the issue must be reviewed at the Domain level, since it is a problem between the PC and the Domain Server.
It is possible to share all collected information with the Fortinet TAC, here is the checklist:
If the user is an advanced FortiGate administrator, it is possible to continue with troubleshooting as well, based on the information obtained in point 2, there may be different scenarios, carry out the searches and confirm which one corresponds to the user:
Inbound.
TCP/8003 – DC_Agent keepalive and push logon info to Collector Agent (SSL enabled/secure).
UDP/8002 – DC_Agent keepalive and push logon info to Collector Agent.
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL).
TCP/8000 – FortiGate to FSSO Collector Agent connection.
TCP/8000 – NTLM.
Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method).
TCP/445 – Remote access to logon events, Workstation check (remote registry).
TCP/389 – Group lookup using LDAP.
TCP/636 – Group lookup using LDAPS.
TCP/3268 – Group lookup using LDAP with global catalog.
TCP/3269 – Group lookup using LDAPS with global catalog.
UDP/53 – DNS for resolving hostnames of the logon events.
To check these ports and validate that they are correctly opened, Telnet tests (TCP connections) must be executed from the FORTIGATE to the DC.
When there are DCagents installed on some of the Domain Controllers, it needs 8002 or 8003 port depending on if it is secure or not (8002-NoSecure or 8003-Secure) for the Fortigate connection is 8000 and 8001 depending on if it's secure or not (8000-NoSecure or 8001-Secure).
TCP/8003 – SSL enabled/secure.
UDP/8002 – No secure
TCP/8001 – SSL enabled/secure.
TCP/8000 – No secure
In case the communication for push logon info to Collector Agent is running on port 8002 (Not secure). Then this port cannot be validated from FortiGate because Telnet works over TCP and this service is over UDP.
In case the communication for push logon info to Collector Agent is running on port 8003 (SSL enabled/secure). Then this port can be validated from FortiGate because Telnet works over TCP.
Related article:
Technical Tip: Windows event IDs used by FSSO in WinSec polling
Below is an external link that may help resolve this. 'Windows DHCP Clients and DNS Dynamic Update Protocol'.
Configure DNS dynamic updates Windows server 2003
diagnose debug disable
diagnose debug reset
diagnose debug application authd 8256
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug authd fsso server-status <- Lock and unlock issued PC and wait 2 minutes then stop with.
diagnose debug disable <- To stop the debug.
diagnose debug reset
More Useful FSSO commands:
diagnose debug authd fsso refresh-logons | Request the FSSO-CA to send the active users list to FortiGate. |
diagnose debug authd fsso clear-logons | Clear login info on FortiGate. Logins will be refreshed in the next polling cycle. |
diagnose debug authd fsso refresh-groups | Request the FSSO-CA to send the monitored groups list to FortiGate. |
get user adgrp | List monitored groups. |
exec fsso refresh | Manually refresh information from the DC (refresh AD and FSSO groups). |
Related Video:
https://youtu.be/Stx66uTMRm8?si=Aikv1Ha81SzpglT6
Related articles:
Technical Tip: FSSO choose between DC Agent mode or Polling mode
Technical Tip: FSSO in DC Agent mode
Technical Tip: FSSO in polling mode
Technical Tip: FSSO Group Filter configured on Collector Agent
Technical Tip: How and why to use the 'Ignore User List' option in FSSO Collector Agent
Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.