FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 214349


This article gives troubleshooting steps to follow when addressing FSSO agentless polling mode issue.








In FSSO agentless polling mode there is no need to install DC agent or collector agent, instead FortiGate polls the DC itself.

FortiGate polls the DC on TCP port 445 to collect user login events.




Some of the general things to check while addressing FSSO agentless polling mode issue are as follows: 


Check the status of Active Directory connector from the GUI:


 Go to Security Fabric -> External Connector ->Active Directory Connector.




Check communication between FortiGate and the DC on TCP port 445.


diag sniffer packet any "host <DC IP> and port 445" 6 0 a


ghost-kvm56 # diagnose sniffer packet any 'host and tcp port 445' 4
Using Original Sniffing Mode
filters=[host and tcp port 445]
2.189333 port3 out -> syn 2539919453
2.189754 port3 in -> syn 3845058239 ack 2539919454
2.189775 port3 out -> ack 3845058240


Status of Polls by FortiGate to DC.


diagnose debug fsso-polling detail


AD Server Status(connected):
ID=1, name(,ip=,source(security),users(0)
port=auto username=Administrator
read log eof=1, latest logon timestamp: Fri Jun 10 14:29:07 2022

polling frequency: every 10 second(s) success(245032), fail(94831)
LDAP query: success(38), fail(3)
LDAP max group query period(seconds): 0
LDAP status: connected

Group Filter:
CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local+CN=Administrator,CN=Users,DC=Fortigate,DC=local


If the status of LDAP is shown connected, then the FortiGate can access the configured LDAP server.
If the read log offset is incrementing, FortiGate is connecting to and reading the logs on the domain controller.

If the read log offset is incrementing but there are any login events, check that the group filter is correct, and that the domain controller is creating the correct event IDs.


Take FSSO and SMB debug logs.


diag debug application fssod -1
diag debug application smbcd -1
diag debug en


SMB Output.

ghost-kvm56 # smbcd: smbcd_process_request:981 got cmd id: 6
smbcd: smbcd_process_request:994 got rpc log field.
smbcd: smbcd_process_request:1006 got rpc username: Administrator
smbcd: smbcd_process_request:1012 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1016 got rpc port: 0
smbcd: smbcd_process_request:1022 got rpc logsrc: security
smbcd: smbcd_process_request:1000 got rpc server:
smbcd: smbcd_process_request:1049 got VFID, 0
smbcd: smbcd_process_request:1182 got rpc eventlog read command
smbcd: rpccli_eventlog_open:232 /code/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-232: cli_rpc_pipe_open_noauth get_eventlog_handle success:0
smbcd: eventlog_read:574 id= 4776, r.TimeGenerated=1654866528, Fri Jun 10 13:08:48 2022
, curren time=1654866522, Fri Jun 10 13:08:48 2022
, time_after=1.
smbcd: process_logon_event:491 found user Administrator, workstation=GHOST-KVM56
[event_add_logon_info:363] eid=4776, logon=[Administrator], ipaddr=[], station=[GHOST-KVM56], domain=[], clt_workstation=, port=0, tm=1654866528
smbcd: eventlog_read:622 loop=5, timestamp=1654866535, Fri Jun 10 13:08:55 2022

smbcd: rpc_cmd_eventlog_read:944 init=0, eof=1, timestamp=1654866535, Fri Jun 10 13:08:55 2022


FSSO output.

[fsso_ldap_session_state:83] ldap session state transit from init->user for user sjoshi.
[fsso_ldap_group_add:327] logon:, sjoshi/FORTIGATE, , add group CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
[primary_id_lookup:454] primary_id_lookup: user_id: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
[fsso_ldap_session_state:83] ldap session state transit from user->primary-group-id for user sjoshi.
[primary_group_lookup:429] lookup primary group for: logon(, sjoshi) base:dc=fortigate,dc=local filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\f4\5d\ae\11\24\05\d9\d1\0c\5e\00\06\01\02\00\00))
[fsso_ldap_session_state:83] ldap session state transit from primary-group-id->primary_group for user sjoshi.
[memberof_lookup:564] look up memberof for logon(, sjoshi),base: dc=fortigate,dc=local, filter: (&(objectclass=group)(|(member:=CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local)(member:=CN=Domain Users,CN=Users,DC=Fortigate,DC=local)))
[fsso_ldap_session_state:83] ldap session state transit from primary_group->memberOf for user sjoshi.
[fsso_ldap_session_state:83] ldap session state transit from memberOf->done for user sjoshi.
[get_ip_by_name:283] name=SJOSHI, id=0, cb=0xc48260
[dns_parse_resp:133] 0: DNS response received for host SJOSHI, id 0


Check the user logon information from the GUI.


Go to Dashboard -> Users & Devices -> Firewall Users.




Check the user logon information from the CLI.


diagnose firewall auth list, sjoshi
type: fsso, id: 0, duration: 1404, idled: 197
server: Local FSSO Agent
packets: in 52817 out 15641, bytes: in 77654301 out 1362780
user_id: 16777223
group_id: 33554484
group_name: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local

----- 1 listed, 0 filtered ------


diag debug authd fsso list

----FSSO logons----
IP: User: sjoshi Groups: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local Workstation: MemberOf: sjoshi CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----


To refresh all users learned through agentless polling.


diagnose debug fsso-polling refresh-user


Check Session Information.


session info: proto=6 proto_state=01 duration=34 expire=3566 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=sjoshi auth_server=Local FSSO Agent state=log may_dirty authed f00 acct-ext
statistic(bytes/packets/allow_err): org=843/6/1 reply=5957/8/1 tuples=2
tx speed(Bps/kbps): 24/0 rx speed(Bps/kbps): 173/1
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=
hook=post dir=org act=snat>
hook=pre dir=reply act=dnat>
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14726 auth_info=33554484 chk_client_info=0 vd=0
serial=06d5747e tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a


The monitored groups.


ghost-kvm56 # show user adgrp

config user adgrp 

    edit "CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local"

        set server-name "Local FSSO Agent"


    edit "CN=Administrator,CN=Users,DC=Fortigate,DC=local"

        set server-name "Local FSSO Agent"




Important Notes.



Limitations of agentless polling mode.


  • If there are many user logins at the same time, the FSSO daemon may miss some. 
  • Winsec polling only.
  • No NTLM.
  • No workstation checks and dead entry.
  • FSSO-polling Agentless may not work correctly with nested user groups.
  • More CPU-consuming: with local polling.