FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 214349
Description

 

This article gives troubleshooting steps to follow when addressing FSSO agentless polling mode issue.

 

Scope

 

FortiGate.

 

Solution

 

In FSSO agentless polling mode there is no need to install DC agent or collector agent, instead FortiGate polls the DC itself.

FortiGate polls the DC on TCP port 445 to collect user login events.

 

sdgsd.PNG

 

Some of the general things to check while addressing FSSO agentless polling mode issue are as follows: 

 

Check the status of Active Directory connector from the GUI:

 

 Go to Security Fabric -> External Connector ->Active Directory Connector.

 

2.PNG

 

Check communication between FortiGate and the DC on TCP port 445.

 

diag sniffer packet any "host <DC IP> and port 445" 6 0 a

 

ghost-kvm56 # diagnose sniffer packet any 'host 10.100.3.231 and tcp port 445' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.100.3.231 and tcp port 445]
2.189333 port3 out 10.100.3.228.15522 -> 10.100.3.231.445: syn 2539919453
2.189754 port3 in 10.100.3.231.445 -> 10.100.3.228.15522: syn 3845058239 ack 2539919454
2.189775 port3 out 10.100.3.228.15522 -> 10.100.3.231.445: ack 3845058240

 

Status of Polls by FortiGate to DC.

 

diagnose debug fsso-polling detail

 

AD Server Status(connected):
ID=1, name(10.100.3.231),ip=10.100.3.231,source(security),users(0)
port=auto username=Administrator
read log eof=1, latest logon timestamp: Fri Jun 10 14:29:07 2022

polling frequency: every 10 second(s) success(245032), fail(94831)
LDAP query: success(38), fail(3)
LDAP max group query period(seconds): 0
LDAP status: connected

Group Filter:
CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local+CN=Administrator,CN=Users,DC=Fortigate,DC=local

 

If the status of LDAP is shown connected, then the FortiGate can access the configured LDAP server.
If the read log offset is incrementing, FortiGate is connecting to and reading the logs on the domain controller.

If the read log offset is incrementing but there are any login events, check that the group filter is correct, and that the domain controller is creating the correct event IDs.

 

Take FSSO and SMB debug logs.

 

diag debug application fssod -1
diag debug application smbcd -1
diag debug en

 

SMB Output.


ghost-kvm56 # smbcd: smbcd_process_request:981 got cmd id: 6
smbcd: smbcd_process_request:994 got rpc log field.
smbcd: smbcd_process_request:1006 got rpc username: Administrator
smbcd: smbcd_process_request:1012 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1016 got rpc port: 0
smbcd: smbcd_process_request:1022 got rpc logsrc: security
smbcd: smbcd_process_request:1000 got rpc server: 10.100.3.231
smbcd: smbcd_process_request:1049 got VFID, 0
smbcd: smbcd_process_request:1182 got rpc eventlog read command
smbcd: rpccli_eventlog_open:232 /code/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-232: cli_rpc_pipe_open_noauth get_eventlog_handle success:0
smbcd: eventlog_read:574 id= 4776, r.TimeGenerated=1654866528, Fri Jun 10 13:08:48 2022
, curren time=1654866522, Fri Jun 10 13:08:48 2022
, time_after=1.
smbcd: process_logon_event:491 found user Administrator, workstation=GHOST-KVM56
[event_add_logon_info:363] eid=4776, logon=[Administrator], ipaddr=[], station=[GHOST-KVM56], domain=[], clt_workstation=, port=0, tm=1654866528
smbcd: eventlog_read:622 loop=5, timestamp=1654866535, Fri Jun 10 13:08:55 2022

smbcd: rpc_cmd_eventlog_read:944 init=0, eof=1, timestamp=1654866535, Fri Jun 10 13:08:55 2022
status=0

 

FSSO output.


[fsso_ldap_session_state:83] ldap session state transit from init->user for user sjoshi.
status=0
[fsso_ldap_group_add:327] logon: 10.100.3.230, sjoshi/FORTIGATE, , add group CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
[primary_id_lookup:454] primary_id_lookup: user_id: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
[fsso_ldap_session_state:83] ldap session state transit from user->primary-group-id for user sjoshi.
[primary_group_lookup:429] lookup primary group for: logon(10.100.3.230, sjoshi) base:dc=fortigate,dc=local filter:(&(objectclass=group)(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\f4\5d\ae\11\24\05\d9\d1\0c\5e\00\06\01\02\00\00))
[fsso_ldap_session_state:83] ldap session state transit from primary-group-id->primary_group for user sjoshi.
[memberof_lookup:564] look up memberof for logon(10.100.3.230, sjoshi),base: dc=fortigate,dc=local, filter: (&(objectclass=group)(|(member:=CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local)(member:=CN=Domain Users,CN=Users,DC=Fortigate,DC=local)))
[fsso_ldap_session_state:83] ldap session state transit from primary_group->memberOf for user sjoshi.
[fsso_ldap_session_state:83] ldap session state transit from memberOf->done for user sjoshi.
[get_ip_by_name:283] name=SJOSHI, id=0, cb=0xc48260
[dns_parse_resp:133] 0: DNS response received for host SJOSHI, id 0

 

Check the user logon information from the GUI.

 

Go to Dashboard -> Users & Devices -> Firewall Users.

 

Capture.PNG

 

Check the user logon information from the CLI.

 

diagnose firewall auth list

 

10.100.3.230, sjoshi
type: fsso, id: 0, duration: 1404, idled: 197
server: Local FSSO Agent
packets: in 52817 out 15641, bytes: in 77654301 out 1362780
user_id: 16777223
group_id: 33554484
group_name: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local

----- 1 listed, 0 filtered ------

 

diag debug authd fsso list


----FSSO logons----
IP: 10.100.3.230 User: sjoshi Groups: CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local Workstation: MemberOf: sjoshi CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

 

To refresh all users learned through agentless polling.

 

diagnose debug fsso-polling refresh-user

 

Check Session Information.

 

session info: proto=6 proto_state=01 duration=34 expire=3566 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=sjoshi auth_server=Local FSSO Agent state=log may_dirty authed f00 acct-ext
statistic(bytes/packets/allow_err): org=843/6/1 reply=5957/8/1 tuples=2
tx speed(Bps/kbps): 24/0 rx speed(Bps/kbps): 173/1
orgin->sink: org pre->post, reply pre->post dev=5->3/3->5 gwy=10.40.31.254/10.100.3.230
hook=post dir=org act=snat 10.100.3.230:49864->172.217.167.226:443(10.40.19.228:49864)
hook=pre dir=reply act=dnat 172.217.167.226:443->10.40.19.228:49864(10.100.3.230:49864)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14726 auth_info=33554484 chk_client_info=0 vd=0
serial=06d5747e tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a
npu_state=00000000

 

The monitored groups.

 

ghost-kvm56 # show user adgrp

config user adgrp 

    edit "CN=Salon Joshi,CN=Users,DC=Fortigate,DC=local"

        set server-name "Local FSSO Agent"

    next

    edit "CN=Administrator,CN=Users,DC=Fortigate,DC=local"

        set server-name "Local FSSO Agent"

    next

end

 

Important Notes.

 

  • Also, ensure SMBv1 is allowed for polling.
  • If there is any concern about SMBv1 used, after FortiGate version 6.2 later, SMBv1 can be disabled on Server site along with the FortiGate site with the command below
  • config user fsso-polling
    edit <>
    set smbv1 {enable|*disable} (default value is "disable")
    end

    end
  • The polling mode also require the SMBv1 communicating to AD server, kindly follow the Microsoft KB article to check and verify also.
    https://docs.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-d...

 

Limitations of agentless polling mode.

 

  • If there are many user logins at the same time, the FSSO daemon may miss some. 
  • Winsec polling only.
  • No NTLM.
  • No workstation checks and dead entry.
  • FSSO-polling Agentless may not work correctly with nested user groups.
  • More CPU-consuming: with local polling.