FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Article Id 310786
Description

 

This article describes how to collect and read debug logs output from FSSO-CA (Fortinet Single Sign-On Collector Agent).

 

Scope

 

FortiGate, FortiOS, Fortiauthenticathor, FSSO.

 

Solution
  1. Select log level to debug. 
  2. Increase log file size.
  3. Create a separate file for logon events.
  4. Select Apply.
  5. Open a copy of most recent debug logs file, during troubleshooting close and open again as needed to load newest logon events.  

LogLevel01.png

Captions:

 

[UPDATE_LOGON_LIST] action:add_new_entry <- into FSSO-CA Database

[UPDATE_LOGON_LIST] action:update_entry <- existing in FSSO-CA Database

[UPDATE_LOGON_LIST] action:remove_entry <- from FSSO-CA Database

[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1 <- '1' register logon on FortiGate.
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1
<- '2' de-register on FortiGate.

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root <- Event sent to every FortiGate connected.

 

New logon event received using the DC_Agent method:

 

[RECV_EVENT_FROM_DC] packet_len:37 dcagent_ip:10.20.30.1 time:1713732662 data_len:24 data:WINPC01/FORTILABMX/user1 ip:192.168.201.199 
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1 
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

 

New Logon event obtained using polling mode.

 

[RECV_EVENT_FROM_DC] packet_len:49 dcagent_ip:10.20.30.1 time:1713748528 data_len:36 data:192.168.201.199/FORTILABMX.NET/user1 ip:0.0.0.0
[UPDATE_LOGON_LIST] action:update_entryworkstation:192.168.201.199 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1 <-nslookup to resolve IPv4 and/or IPv6.
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

 

Logoff by WMI monitor option configuration.

 

[WORKSTATION_CHECK] user:FORTILABMX\USER1 is no longer logged on to WINPC01 (192.168.201.199)

More detail. Troubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent


Logoff when 'Dead entry timeout interval' timer is reached. 

 

[UPDATE_LOGON_LIST] action:remove_entry WINPC01:user1[192.168.201.199:0.0.0.0] removed. current time:1713730961 last update time:1713730776 age:185 timeout:180 <<< 3 minutes for testing purpouse, 480 default

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETK18918826-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

 

For more information, see Technical Tip: Explanation of FSSO timers.

 

Workstation IP Change and multiple Fortigates updated example:

 

[IP_CHANGE_CHECK] workstation:WINPC01 ip changedfrom 192.168.201.199:0.0.0.0 to 192.168.201.180:0.0.0.0 <- nslookup to resolve IPv4 and/or IPv6.

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1

[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1

 

For more information, see Technical Tip: Explanation of FSSO timers and Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets (at point 7, DNS Issues).