Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
roootccc
New Contributor

FSSO issue

We often encounter user not being captured by FSSO thus traffic was deny.

We would like to confirm if user was being dead entry at that time but i cant seem to find anywhere that i can monitor dead entry host/user. Is here anyway i can confirm if a user/host is being lock as dead entry ? 

5 REPLIES 5
neonbit
Valued Contributor

How are you doing FSSO? Are you polling the DC from the FortiGates or are you using a collector agent? If you're using the collector agent you'll be able to see which users are logged in and which have dead entries.

Fishbone_FTNT

Hi, dead entry is simply gone - it's dead :)

 

 

Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

 

If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

 

Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

 

hth,

-Fishbone

smithproxy hacker - www.smithproxy.org

roootccc

Fishbone wrote:

Hi, dead entry is simply gone - it's dead :)

 

 

Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

 

If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

 

Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

 

hth,

-Fishbone

We are using this mode. Is this CA ? 

roootccc

neonbit wrote:

How are you doing FSSO? Are you polling the DC from the FortiGates or are you using a collector agent? If you're using the collector agent you'll be able to see which users are logged in and which have dead entries.

We are using DC Agent Mode. Where can we see if the user have been put into dead entries or history ? 

seshuganesh
Staff
Staff

Hi Team

 

This has posted long time but it could help some one who is facing issue now.

This type of issue mostly related to the DNS server which is configured in AD server, lets say if the DNS records in the AD server are not updated properly with the correct IP if they point to wrong IP, wrong ip will mapped with user name in the log on user list of FSSO.

Its better to focus on DNS records in AD server for these type of issues.

You can check and keep us posted