FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff
Article Id 391307
Description

 

This article explains an issue where changes to a user’s group membership in Active Directory are not properly reflected for all users affected by the change.

 

Scope

 

FortiProxy.

 

Solution

 

If a user’s group membership is changed from one group to another, based on the group cache timeout value (the default is 5 minutes), the FortiProxy should update its user group cache.

However, for example, the changes were made in the group membership of user1 and user2. For example: user1 and user2 were both removed from their original group 'FortiProxyUsers-Production' and added to the group 'FortiProxyUsers-AllUsers'.

As shown below, the user1 group cache is updated, and it shows the new group membership. However, the user2 group cache has not been refreshed, causing the user to still show under 'FortiProxyUsers-Production'.

diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159


uname=user1@corp.example.com,pwd=no,vd=root ldap=corp.example.com,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Thu Apr 10 14:15:01 2025

user id=1086, refresh_time=Thu Apr 10 14:09:39 2025

user dn=CN=user1,OU=IT,OU=Corp Users,DC=CORP,DC=EXAMPLE,DC=COM

sid:S-0-0 name=CN=FortiProxyUsers-AllUsers,OU=Security Groups,DC=CORP,DC=EXAMPLE,DC=COM


uname=user2@corp.example.com,pwd=no,vd=root ldap=corp.example.com,ref_cnt=1,upd=0,wait=0 sid-auth=0,status=2 last_access=Thu Apr 10 13:44:39 2025

user id=1265, refresh_time=Thu Apr 10 13:44:39 2025

user dn=CN=user2,OU=HR,OU=Corp Users,DC=CORP,DC=EXAMPLE,DC=COM

sid:S-0-0 name=CN= FortiProxyUsers-Production,OU=Security Groups,DC=CORP,DC=EXAMPLE,DC=COM

Note: Allow up to 30 minutes for Active Directory to propagate changes across all domain controllers. So, it is recommended to wait for the AD to sync and then check the updated group cache information on the FortiProxy.


If the issue persists, collect the following diagnostic information and open a case with TAC to determine whether it matches known issue ID 1130867 on FortiProxy.

Step 1: Enable diagnostic mode and modify cache timeout settings to 5 minutes.

 

diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 1900005 <- Changes user cache timeout from 1440 to 5 minutes.
diagnose test application wad 1910005 <- Changes group cache timeout from 1440 to 5 minutes.


Step 2: Verify the timeout settings were properly applied.

diagnose test application wad 170 <- For v7.2.x units.

 

Or:

 

diagnose test application wad 181 <- For v7.4.x units.

Step 3: Enable WAD debug logging to capture the authentication process.

Note: It is recommended to run these debugs on an SSH session using Putty and log the session in a text file.

diagnose wad debug enable category auth
diagnose wad debug enable category http
diagnose wad debug enable level verbose
diagnose debug console timestamp enable
diagnose debug enable

Step 5: Log in to the test user machine to create an authentication session.

Step 6: Check and capture the user group cache information for the test user.

 

diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159

Step 7: Change the group membership of the test user and de-authenticate the user.
Step 8: Log in to the test user machine to create an authentication session.
Step 9: Wait for at least 5-6 minutes and then check the user group cache information.

 

diagnose debug enable
diagnose test application wad 2500
diagnose test application wad 159

 

To stop debugging:

 

diagnose debug disable