Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I logged a call with Fortigate and had an engineer remote in and see that after 8 hours the FSSO logons disappear, they just drop off. So he saw it for himself and then escalated it to another engineer who came back with a solution.
To change the authentication time for FSSO, please change the logon-history to longer time. Below are the commands to change. config user fsso-polling edit <ID> set logon-history <int> (0-48, default is 8) next end
I asked for some more detail of what I was changing and they replied config user fsso-polling edit 1 set logon-history <int> (0-48, default is 8), for the logon-history, it is refer timeout period that you need. default, it is 8 hours. next end So I did this and it all works.
Give it a go.
I dont know if its a bug or if thats just the way it is. But I agree, I had the LDAP way setup and it was working pretty well, but the timeout thing is a deal breaker for us. The other "bug" we have with 5.2.2 is that if you use web ssl vpn, and connect to a terminal server, it disconnects you right away from the session. They confirmed it was a bug after sending them logs.
Anyway, you had the DC agents working?? Do tell :) lol..
I logged a call with Fortigate and had an engineer remote in and see that after 8 hours the FSSO logons disappear, they just drop off. So he saw it for himself and then escalated it to another engineer who came back with a solution.
To change the authentication time for FSSO, please change the logon-history to longer time. Below are the commands to change. config user fsso-polling edit <ID> set logon-history <int> (0-48, default is 8) next end
I asked for some more detail of what I was changing and they replied config user fsso-polling edit 1 set logon-history <int> (0-48, default is 8), for the logon-history, it is refer timeout period that you need. default, it is 8 hours. next end So I did this and it all works.
Give it a go.
Talked to a Senior Engineer today and described the problem. He said "Yep, agentless/polling mode is only good for 8 hours" he said he might be able to get it to 10, but thats it. Solution was to use the FSSO Agent with DC agents on the DC's. So far so good, still have to enable Remote Registry service, and the ports, but it seems to be showing users authenticating properly
Hi guys,
This topic is very interesting. I would like to raise a few points.
Lets not forget the appliance is a security appliance. Being a security appliance its there to enforce security/company security policies.
Depending on what type of industry the client is in, its not a good thing for the firewall to remember logons "forever" sort of speak, its a breach of security. Is the user logged on forever "logon-history hours to keep as an active logon. 0 means keeping forever".
Some clients do not want to install the DC agents on their DC and do not want to open ports on their workstations.
I've found that letting the fortigate poll the DC and explaining to the client that its not wise to have "forever sessions" and force users to re-authenticate as a security measure is not such a bad thing.
The first step would be to establish a company security policy and then work from there.
Any opinions?
Carlitos loves firewalls
NSE4 (5.4,6.0)
NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)
NSE7 (Enterprise Firewall 6.0)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.