Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎05-19-2024 10:16 PM Edited on ‎05-20-2024 11:49 AM By Moderator

Article Id 315719

Troubleshooting Tip: FortiNAC and FortiGate SSL-VPN log example

Description This article describes what messages to look for when reviewing logs for FortiGate VPN integration with FortiNAC 
Scope FortiNAC-F 7.2, 7.4 & FortiNAC 9.2, 9.4
Solution Debug enabled: FortinetVPN, RemoteAccess, SyslogServer, SSOManager & PersistentAgent

Order of Operations (Summary): Refer to this KB article Technical Tip: Troubleshooting FortiGate VPN integrations 

  1. User establishes connection to SSL-VPN. Syslog message is sent to FortiNAC from the Firewall. 

     

 

yams.SyslogServer FINER :: 2023-12-15 03:24:25:669 :: #566 :: SyslogServer received: 172.22.1.234 <190>date=2023-12-15,time=03:24:25,devname="LABlabLab",devid="FG4H0ETB1234567",eventtime=1702628665438306385,tz="-0500",logid="0101039947",type="event",subtype="vpn",level="information",vd="root",logdesc="SSL VPN tunnel up",action="tunnel-up",tunneltype="ssl-tunnel",tunnelid=2094876979,remip=89.128.41.7,tunnelip=10.1.250.2,user="ShaiHulude",group="FortiClient MFA",dst_host="N/A",reason="DTLS tunnel established",msg="SSL tunnel established" 

 

 

  1. FortiNAC parses the Syslog message and determines if the VPN IP address is 'Managed'.


yams.FortinetVPN FINER :: 2023-12-15 03:24:25:682 :: #795 :: Parsed SSL login message into event devId = FG4H0ETB1234567, logId = 0101039947, vdom = root, tunnelType = SSL, tunnelId = 2, localIP = 89.128.41.7, tunnelIP = 10.1.250.2, user = ShaiHulude

 

yams.FortinetVPN INFO :: 2023-12-15 03:24:25:682 :: #795 :: FortinetVPNPlugin.processLogon Remote user ShaiHulude just received an IP = 10.1.250.2

yams.FortinetVPN FINER :: 2023-12-15 03:24:25:694 :: #795 :: FortinetVPNPlugin.isValidIP found 10.1.250.2 for device 6464 , raDevice = 6419

yams.FortinetVPN FINER :: 2023-12-15 03:24:25:694 :: #795 :: FortinetVPNPlugin.isValidIP checking parent of 6464

yams.FortinetVPN FINER :: 2023-12-15 03:24:25:694 :: #795 :: AbstractRasPlugin.updateConnectionPerformance IPASSIGN found no entry for user ShaiHulude

yams.FortinetVPN FINER :: 2023-12-15 03:24:25:694 :: #795 :: AbstractRasPlugin.updateConnectionPerformance IPASSIGN updating entry for key ShaiHulude to ShaiHulude10.1.250.2

 

 

  1. A ProbeObject is created to track the active VPN session:

 

yams.FortinetVPN FINER :: 2023-12-15 03:24:25:695 :: #795 :: FortinetVPNPlugin built ProbeObject 

 

Probe 

  IP Address = 10.1.250.2  

  MAC Address = null  

  Device Id = 6419 

  Interface Id = 6482 

  User Name = ShaiHulude   

  Session Id = 1672942581 

  Time Captured = Fri Dec 15 03:24:25 EST 2023 

  InetAddress = null 

 

  1. Agent communicates and provides IP to MAC address resolution for the VPN client.

 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.updateRemoteUser() IP = 10.1.250.2 with MAC 1C:C1:0C:C2:1B:8B 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.updateRemoteEntry for 10.1.250.2 and 1C:C1:0C:C2:1B:8B 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.updateRemoteUserInt for device 6419 and client 10.1.250.2 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.updateRemoteUserInt setting mac 1C:C1:0C:C2:1B:8B for 10.1.250.2 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.updateRemoteUserInt with user ShaiHulude, and mac 1C:C1:0C:C2:1B:8B 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.connectUserToVPNDevice(): setting vpnClient for 10.1.250.2 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer found local client 32508 for mac 1C:C1:0C:C2:1B:8B 

yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.connectUserToVPNDevice calling getRemoteUser for 10.1.250.2 

yams.RemoteAccess INFO :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.getRemoteUser() IP = 10.1.250.2 

yams.RemoteAccess INFO :: 2023-12-15 03:24:33:705 :: #3525 :: Probe 

  IP Address = 10.1.250.2 

  MAC Address = 1C:C1:0C:C2:1B:8B  

  Device Id = 6419 

  Interface Id = 6482 

  User Name = ShaiHulude 

  Session Id = 1672942581 

  Time Captured = Fri Dec 15 03:24:25 EST 2023 

  InetAddress = null 

 

 

  1. FortiNAC sends FSSO logon to the Firewall to unrestrict the VPN client.


yams.RemoteAccess FINER :: 2023-12-15 03:24:33:705 :: #3525 :: RemoteAccessServer.connectUserToVPNDevice(): calling BridgeInterface.switchVlan() for 

 

         element = LABLAN-LabLabh.lab 

         port = LABLAN-LabLabh.lab:VPN root_SSL_VPN 

         Client MAC = 1C:C1:0C:C2:1B:8B 

         Client IP = 10.1.250.2 

 

yams.FortinetVPN INFO :: 2023-12-15 03:24:34:738 :: #345 :: Removing restrictions on client, IP = 10.1.250.2 connecting via deviceId = 6419 

yams.FortinetVPN FINER :: 2023-12-15 03:24:34:738 :: #345 :: FortinetVPNPlugin.removeRestriction for client 1C:C1:0C:C2:1B:8B 10.1.250.2 

yams.FortinetVPN FINER :: 2023-12-15 03:24:34:738 :: #345 :: FortinetVPNPlugin.checkPolicy for client 1C:C1:0C:C2:1B:8B 10.1.250.2 

 

yams.SSOManager FINER :: 2023-12-15 03:24:34:742 :: #345 :: 1C:C1:0C:C2:1B:8B 10.1.250.2 new UserIDMessage ShaiHulude 

yams.SSOManager FINER :: 2023-12-15 03:24:34:742 :: #345 :: setGroupTags() mac = 1C:C1:0C:C2:1B:8B 

yams.SSOManager FINER :: 2023-12-15 03:24:34:745 :: #345 :: SSOManager.setGroupTags using elementId 6464 

yams.SSOManager FINER :: 2023-12-15 03:24:34:745 :: #345 :: SSOManager.setGroupTags found 1 config models 

yams.SSOManager FINER :: 2023-12-15 03:24:34:745 :: #345 :: SSOManager.setGroupTags looking up AccessConfig for target device 6464 

yams.SSOManager FINER :: 2023-12-15 03:24:34:746 :: #345 :: SSOManager.setGroupTags found AccessConfiguration 

AccessConfiguration 

DBID:[10] 

Version:[9] 

Name:[ ] 

Note:[null] 

Task ID:[null] 

Logical Network:[VPN-Network] 

Access Value:[] 

Access Action:[2] 

Alias:[false] 

Send Groups To Firewall:[true] 

RadiusAttributeGroupId:[null] 

Tags: [VPN_Auth] 

Firewall Groups: [] 

 

yams.SSOManager FINER :: 2023-12-15 03:24:34:746 :: #345 :: Host matched access configuration VPN-Network 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: getGroups() found a total of 2 member groups 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: SSOManager.setGroupTags found tags [Registered Hosts, VPN Access, VPN_Auth] 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: putMessage() added message for host SHAIHULUDE-LAP B4:45:06:17:AA:49,1C:C1:0C:C2:1B:8B 25946 to messageQueue on agent 172.22.1.234 

UserIDMessage[logon, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #808 :: UserAgentSendThread run() agent: 172.22.1.234 message: 

UserIDMessage[logon, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: SSOManager.addMessageToQueue put message UserIDMessage[logon, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] for key 1C:C1:0C:C2:1B:8B 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: testAdapterImpl() added message to queue, size = 9 for agent 172.22.1.234 

UserIDMessage[logon, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

yams.SSOManager FINER :: 2023-12-15 03:24:34:754 :: #345 :: SSOManager.testAdapterImpl done 

yams.SSOManager INFO :: 2023-12-15 03:24:34:755 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 1C:C1:0C:C2:1B:8B, MSG=UserIDMessage[logon, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

 

 

  1. Host disconnect from SSL VPN.

  1. FortiGate sends syslog to FortiNAC indicating tunnel has been disconnected. 

 

yams.SyslogServer FINER :: 2023-12-15 05:44:59:589 :: #566 :: SyslogServer received: 172.22.1.234 <190>date=2023-12-15,time=05:44:59,devname=devname="LABlabLab",devid="FG4H0ETB201234567",eventtime=1702626299533138797,tz="-0500",logid="0101039948",type="event",subtype="vpn",level="information",vd="root",logdesc="SSL VPN tunnel down",action="tunnel-down",tunneltype="ssl-tunnel",tunnelid=2094876976,remip=89.128.41.7,tunnelip=10.1.250.2,user="ShaiHulude",group="FortiClient MFA",dst_host="N/A",reason="User requested termination of service",duration=1415,sentbyte=5090436,rcvdbyte=1959359,msg="SSL tunnel shutdown" 

 

 

  1. FortiNAC sends an FSSO logoff to FortiGate.

yams.SSOManager INFO :: 2023-12-15 05:44:59:635 :: #808 :: SSOManager.sendMessage sending message to 172.22.1.234 for client 1C:C1:0C:C2:1B:8B, MSG=UserIDMessage[logoff, mac=1C:C1:0C:C2:1B:8B, ip=10.1.250.2, user=ShaiHulude, tags=[Registered Hosts, VPN Access, VPN_Auth]] 

 

Related articles: 
Technical Tip: Configuring and troubleshooting Firewall TAGs between FortiGate and FortiNAC-F or leg...
Troubleshooting Tip: Viewing managed VPN addresses from the CLI
427
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.