FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff
Article Id 221942

Description

 

This article describes why FortiGate cannot connect to Active Directory Connector and what is the issue.

 

Scope

 

FortiGate v7.2.1.

 

Solution

 

FortiGate frequently polls DCs to collect user logon events. That is calling FSSO agentless polling mode. In agentless polling mode, there is no need to install the DC agent or Collector Agent; instead, FortiGate polls the DC itself.

 

matanaskovic_0-1661437475843.png

 

The status of our Active Directory connector is 'Disconnected'. Our DC is using OS Windows Server 2019 Standard.

 

FortiGate connects to the AD Connector by default via TCP port/445. From FortiGate, double-check using a telnet connection to see if the AD connector is listening and to additionally verify that is connected.

 

matanaskovic_1-1661437520852.png

 

 

If Windows Server is located on a different network and there is an IPsec Tunnel /SDWAN towards this server its necessary to specify source IP of the source interface IP reaching this server or the interface itself, following the below command:

 

boson-kvm29 (root) # config user fsso

boson-kvm29 (fsso) # show full
config user fsso
edit "FSSO"
set type default
set server "192.168.10.2"
set port 8000

....

set source-ip 80.70.66.69
set source-ip6 ::
set interface-select-method auto

 

For further troubleshooting of the Active Directory connector on FortiGate, run debug commands.

 

diagnose debug reset

diagnose debug console timestamp enable
diagnose debug application fssod -1

diagnose debug app smbcd -1

diagnose debug enable

 

smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: north
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 10.0.0.100
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741727. Retry to open pipe with auth.

smbcd: rpccli_eventlog_open:225 /code/daemon/smbcd/smbcd_eventlog.c-225: evenglog handle get failed.nt_status:-1073741727
smbcd: rpc_cmd_eventlog_read:932 open rpc err(10.0.0.100:north:0) from security log!, Please check correct server name, user name, password, port and log source
2022-08-24 23:10:08 [handle_reply:499] wrong format of data status. len 8 <> 4.

 

Check communication between FortiGate and the DC on TCP port 445.

 

diagnose sniffer packet any "host <DC IP> and port 445" 6 0 a

 

Or over GUI, Network -> Diagnostic -> Packet Capture.  Narrow down the TCP/445 communication using filters for interface network port, destination host and port.

 

matanaskovic_2-1661437601396.png

 

After reproducing the issue, let's check the traffic between FortiGate and DC over TCP port 445.

 

matanaskovic_3-1661437642158.png

 

In Wireshark, DC is responding to FortiGate’s request with the error: 'STATUS_PRIVILEGE_NOT_HELD'. The user used for reading and polling event logs, ‘north’, seems that does not to have appropriate domain privileges.

 

The user must have read access to the logs using the built-in AD security group 'Event Log Readers'.
To add a user to the 'Event Log Readers' group in Active Directory, open Active Directory Users and Computers, navigate to the specific user account, right-click the user, select 'Add to a group', type 'Event Log Readers', select 'Check Names', and then select 'OK' to confirm.

 

matanaskovic_4-1661437694087.png

 

After assigning the user ‘north’ to the AD security group 'Event Log Readers', FortiGate established communication with the DC over the the Active Directory Connector.

 

matanaskovic_5-1661437725903.png


Note:
If the issue persists, verify if the SAMBA service is running in the DC, as it is required for polling mode. If not, follow this document from Microsoft for verification: Detect, enable, and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn  

Related articles:

Troubleshooting Tip: How to troubleshoot FSSO agentless polling mode issue

Technical Tip: FSSO polling connector agent configuration and troubleshooting steps