FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hlngan
Staff
Staff
Article Id 389463
Description This article describes how to troubleshoot the TS agent when matching the wrong policy and not hitting the TS agent policy.
Scope FortiGate, TS agent.
Solution

From the TS agent debug, verify the user is logged in with the assigned port no:

 

02-25-2025 14:44:13 [00001b6c] Message WTS_SESSION_LOGON, session ID:2
02-25-2025 14:44:18 [00001294] Request port for session:0, protocol:6
02-25-2025 14:44:24 [00001b6c] session ID:2, username: TestUser, domain: Fortinet
02-25-2025 14:44:30 [00001b6c] session ID:2 has added to session table
02-25-2025 14:44:35 [00001b6c] succeeded to allocate port range 1024-1223 for session 2

 

The above logs indicate that the user TestUser is logging in with the assigned port 1024-1223.

 

From FortiGate, check the record of the TS agent being updated:

 

diagnose firewall auth list | grep -i TestUser

IP: 10.0.0.106 User: TestUser Groups: CN=xxxx,OU=USERS,OU=xx,DC=Fortinet,DC=CORP,DC=xx,Session ID: 2 Port Range(1): 1024-1223

 

Then, a debug flow or sniffer can be used to make sure that the user's PC is using the correct source port.

 

Debug flow:

 

diagnose debug reset

diagnose debug enable

diagnose debug console timestamp enable

diagnose debug flow show iprope enable

diagnose debug flow filter clear

diagnose debug flow filter addr x.x.x.x

diagnose debug flow show function-name enable

diagnose debug flow trace start 10000

 

The initial traffic from the user PC:

 

To stop the debug flow, use the below commands:

 

diagnose debug disable

diagnose debug reset

 

Sniffer:

 

diagnose sniffer packet any 'host x.x.x.x' 4 0 l

 

The initial traffic comes from the user's PC. To stop the sniffer, press  'Ctrl C' on the keyboard.

 

Also, from the Windows Client, running below output when simulating the traffic:

  1. Launch Windows Command line as an administrator.
  2.  Run 'netstat -o'.
  3. For each PID(process ID), run 'tasklist /fi "PID eq <PID>" /v'

 

If the source port is correct and the traffic is still not falling to the correct policy, collect the above information and contact support with a ticket.