Troubleshooting Tip: Port blocks in Windows Server in FSSO solutions

When troubleshooting a communication issue between a DC Agent and other agents or FortiGates, and there are no permissions to install any software, it might be useful to enable logging in Windows Firewall.

FSSO collector agent uses port 8000 to communicate with FortiGate. On FortiGate's side, it is possible to run a sniffer to capture traffic that has port 8000 as the destination:

diagnose sniffer capture any 'port 8000' 4

If packets go from FortiGate to LDAP or DC server and there is no answer, it might suggest an issue on the other side.

If after double checking the configuration, there is still a communication issue and it is not possible to install software in Windows Server, it is possible to enable windows firewall logs to confirm if packets are being blocked.

To open Windows Firewall, select the Windows button, type firewall, and select Windows Defender Firewall with Advanced Security. It is also possible to press windows+r to open a Run window, type WF.msc and press Enter.  

Once in the Firewall interface, follow these steps:

1. In the left panel, select Windows Defender Firewall.
2. In the right panel, under Actions, select Properties.
3. In the Domain Profile tab, select Customize.
4. Select the log location.
5. Select Yes in the Log dropped packets option.
6. Select 'OK'.

It will be then possible to easily verify if Windows Firewall is blocking any packet related to FSSO without installing an additional software or tool.