Troubleshooting Tip: How to run debug when importing FSSO user group via FortiGate

tnesh · ‎05-21-2024

Description

This article describes how to run the debug CLI command when importing the FSSO user group via FortiGate.

Scope

FortiManager.

Solution

Notes:

Ensure the FSSO agent is running and configured correctly.
Refer here to learn how to configure the FSSO connector in FortiManager.

Steps:

Run the following CLI command in the FortiManager-SSH session:

FMG # diag debug app depmanager 255
FMG # diag debug app securityconsole 255
FMG # diag debug enable

At FortiManager-GUI, proceed to import the user group:
FortiManager -> Fabric View -> External Connectors -> Select FSSO & edit -> Apply & Refresh -> Proceed to Import.
Note: Technical Tip: Default GUI Theme for FortiManager/FortiAnalyzer changed to Jade

At FortiManager-SSH, review/capture the debug output.

Sample debug output:

.

.
<truncated>
.

.

result we finally get:

[config user adgrp
edit "CN=admin,OU=labtest,DC=fortilab,DC=com"
set server-name "Local FSSO Agent"
next
edit "CN=fsmadmin,OU=labtest,DC=fortilab,DC=com"
set server-name "Local FSSO Agent"
next
.
<truncated>
.
Response [unknown]:
{ "id": 492, "result": [{ "status": { "code": 0, "message": "OK"}, "url": "adgrp\/parse"}]}
__on_clt_event,1247: event=1, r=0.
==GET ADGRP==>sync adomdb success
==GET ADGRP==>Get adgrp finished success.
destroy_service.59:mark sconn 0x55b2f66ffb50 done.
Destroy sconn 0x55b2f66ffb50, connSize=0.