|
From the TS agent debug, verify the user is logged in with the assigned port no:
02-25-2025 14:44:13 [00001b6c] Message WTS_SESSION_LOGON, session ID:2
02-25-2025 14:44:18 [00001294] Request port for session:0, protocol:6
02-25-2025 14:44:24 [00001b6c] session ID:2, username: TestUser, domain: Fortinet
02-25-2025 14:44:30 [00001b6c] session ID:2 has added to session table
02-25-2025 14:44:35 [00001b6c] succeeded to allocate port range 1024-1223 for session 2
The above logs indicate that the user TestUser is logging in with the assigned port 1024-1223.
From FortiGate, check the record of the TS agent being updated:
diagnose firewall auth list | grep -i TestUser
IP: 10.0.0.106 User: TestUser Groups: CN=xxxx,OU=USERS,OU=xx,DC=Fortinet,DC=CORP,DC=xx,Session ID: 2 Port Range(1): 1024-1223
Then, a debug flow or sniffer can be used to make sure that the user's PC is using the correct source port.
Debug flow:
diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow show iprope enable
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow show function-name enable
diagnose debug flow trace start 10000
The initial traffic from the user PC:
To stop the debug flow, use the below commands:
diagnose debug disable
diagnose debug reset
Sniffer:
diagnose sniffer packet any 'host x.x.x.x' 4 0 l
The initial traffic comes from the user's PC. To stop the sniffer, press 'Ctrl C' on the keyboard.
Also, from the Windows Client, running below output when simulating the traffic:
- Launch Windows Command line as an administrator.
- Run 'netstat -o'.
- For each PID(process ID), run 'tasklist /fi "PID eq <PID>" /v'
If the source port is correct and the traffic is still not falling to the correct policy, collect the above information and contact support with a ticket.
|
