This article describes how to collect and read debug logs output from FSSO-CA (Fortinet Single Sign-On Collector Agent).
FortiGate, FortiOS, Fortiauthenticathor, FSSO.
Captions: ,
[UPDATE_LOGON_LIST] action:add_new_entry <- into FSSO-CA Database
[UPDATE_LOGON_LIST] action:update_entry <- existing in FSSO-CA Database
[UPDATE_LOGON_LIST] action:remove_entry <- from FSSO-CA Database
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1 <- '1' register logon on FortiGate.
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:USER1 <- '2' de-register on FortiGate.
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root <- Event sent to every FortiGate connected.
New logon event received using the DC_Agent method:
[RECV_EVENT_FROM_DC] packet_len:37 dcagent_ip:10.20.30.1 time:1713732662 data_len:24 data:WINPC01/FORTILABMX/user1 ip:192.168.201.199
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
New Logon event obtained using polling mode.
[RECV_EVENT_FROM_DC] packet_len:49 dcagent_ip:10.20.30.1 time:1713748528 data_len:36 data:192.168.201.199/FORTILABMX.NET/user1 ip:0.0.0.0
[UPDATE_LOGON_LIST] action:update_entryworkstation:192.168.201.199 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1 <-nslookup to resolve IPv4 and/or IPv6.
[UPDATE_LOGON_LIST] action:add_new_entry workstation:WINPC01 ip:192.168.201.199:0.0.0.0 user:FORTILABMX\user1
[LOGON_ITEM] logon:1 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
Logoff by WMI monitor option configuration.
[WORKSTATION_CHECK] user:FORTILABMX\USER1 is no longer logged on to WINPC01 (192.168.201.199)
More detail. Troubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent
Logoff when 'Dead entry timeout interval' timer is reached.
[UPDATE_LOGON_LIST] action:remove_entry WINPC01:user1[192.168.201.199:0.0.0.0] removed. current time:1713730961 last update time:1713730776 age:185 timeout:180 <<< 3 minutes for testing purpouse, 480 default
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETK18918826-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
For more information, see Technical Tip: Explanation of FSSO timers.
Workstation IP Change and multiple Fortigates updated example:
[IP_CHANGE_CHECK] workstation:WINPC01 ip changedfrom 192.168.201.199:0.0.0.0 to 192.168.201.180:0.0.0.0 <- nslookup to resolve IPv4 and/or IPv6.
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:0 ip:192.168.201.199 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FG200ETKxxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1
[SEND_EVENT_TO_FGT] packet_len:169 FortiGate_SN:FWF61xxxxxx-root
[LOGON_ITEM] logon:1 ip:192.168.201.180 workstation:WINPC01 domain:FORTILABMX user:user1
For more information, see Technical Tip: Explanation of FSSO timers and Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets (at point 7, DNS Issues).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.