Description | This article describes how to troubleshoot the TS agent when matching the wrong policy and not hitting the TS agent policy. |
Scope | FortiGate, TS agent. |
Solution |
From the TS agent debug, verify the user is logged in with the assigned port no:
02-25-2025 14:44:13 [00001b6c] Message WTS_SESSION_LOGON, session ID:2
The above logs indicate that the user TestUser is logging in with the assigned port 1024-1223.
From FortiGate, check the record of the TS agent being updated:
diagnose firewall auth list | grep -i TestUser IP: 10.0.0.106 User: TestUser Groups: CN=xxxx,OU=USERS,OU=xx,DC=Fortinet,DC=CORP,DC=xx,Session ID: 2 Port Range(1): 1024-1223
Then, a debug flow or sniffer can be used to make sure that the user's PC is using the correct source port.
Debug flow:
diagnose debug reset diagnose debug enable diagnose debug console timestamp enable diagnose debug flow show iprope enable diagnose debug flow filter clear diagnose debug flow filter addr x.x.x.x diagnose debug flow show function-name enable diagnose debug flow trace start 10000
The initial traffic from the user PC:
To stop the debug flow, use the below commands:
diagnose debug disable diagnose debug reset
Sniffer:
diagnose sniffer packet any 'host x.x.x.x' 4 0 l
The initial traffic comes from the user's PC. To stop the sniffer, press 'Ctrl C' on the keyboard.
Also, from the Windows Client, running below output when simulating the traffic:
If the source port is correct and the traffic is still not falling to the correct policy, collect the above information and contact support with a ticket. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.