Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yeowkm99
Contributor

Created on ‎08-02-2022 10:39 PM

DNS server not updating

In our office network, we make use of fortinet FSSO to control Internet access per individual user.

After we login, our AD username and IP address will be logged by our firewall before we are able to access Internet.

We noticed that some times when user go to different office, their IP address will change. 

eg. from office 1,  PC01, 172.20.0.84 change to office 2, PC01, 172.30.0.74. If the AD DNS record does not update the hostname to the new office address PC01, 172.30.0.74, the user will have issues accessing Internet as the firewall log will only show 172.30.0.74 instead of ipaddress.JPGusername(172.30.0.74). 

the quick n fast way for us to solve this is do a ipconfig /renew or restart the PC, so that user will get the new IP address.

Is there any way to resolve this issue ? 

Labels:
3901
0 Kudos
10 REPLIES 10
Patterson
Staff
Staff

Created on ‎08-03-2022 04:27 AM

Hi yeowkm99,

 

Can you please check on the FSSO collector agent under advance setting -> Windows security events logs . By default it will be 0, can you try changing the same to 2 as per the below KB.

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...

 

Regards,

Patterson

Regards,
Patterson
3291
0 Kudos
yeowkm99
Contributor
In response to Patterson

Created on ‎08-03-2022 04:55 AM

currently set as 0. have change it to 2.

i saw event ID 4624 and 4634 in the event logs.

how does changing this value effect the user logon

3286
0 Kudos
Patterson
Staff
Staff

Created on ‎08-03-2022 07:00 AM

Hi,

Changing the polling ID will help the agent to collect more security event ID, Agent requires workstation name on a security event to update the change in IP, Ideally  Kerberos as the authentication will not have the workstation name, so the agent use a combination of event ID  like 4768, 4769 to collect the workstation name.

Regards,
Patterson
3281
0 Kudos
yeowkm99
Contributor
In response to Patterson

Created on ‎08-04-2022 01:50 AM

after changing the value to 2, i still have users with the same issues. 

DNS record not updating when they switch to different location. 

I need to remove the older record in the DNS manager in my AD server. only after i remove the old DNS record, then they can access Internet. 

3263
0 Kudos
yeowkm99
Contributor
In response to yeowkm99

Created on ‎08-04-2022 02:53 AM

i have more than one FSSO collector agent servers.

have since changed the values on all the servers. 

3259
0 Kudos
Debbie_FTNT
Staff
Staff
In response to yeowkm99

Created on ‎08-04-2022 08:16 AM

Hey yeowkm99,

what IP verification do you have set up in collector agent? you could lower the time; this causes Collector Agent to double-check workstation IPs more quickly (and it should thus detect IP changes more quickly).

However, the main issue is likely something like this:
- Collector Agent checks one DNS server (based on the host's system settings)

- a host that changes its IP reports the IP change to a different DNS

- it takes a few minutes for the change to be replicated through your AD environment

A workaround could be for users to sign out and sign into their workstations again; this would generate a login event that Collector Agent should pick up on pretty quickly. As long as the login event is generated with IP, Collector Agent will see that. If the login event is generated with workstation name again, however, the issue with DNS lookup still remains.

The only real fix is something like Mobility Agent (which is a tool that reports IPs automatically to FortiAuthenticator, used in VPN scenarios), or make sure DNS changes in your AD are replicated more quickly so Collector Agent can pick up on the changed IP more quickly.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3250
0 Kudos
yeowkm99
Contributor
In response to Debbie_FTNT

Created on ‎08-04-2022 06:53 PM

where do i lower the times ? is it at the collector agent ?

3235
0 Kudos
Debbie_FTNT
Staff
Staff
In response to yeowkm99

Created on ‎08-05-2022 01:55 AM

You should have an IP address change verify interval in Collector Agent (near the bottom):

Debbie_FTNT_0-1659689685823.png

You can lower this, so Collector Agent checks DNS server more frequently, but it won't change anything if the entries in DNS server are not updated.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3226
0 Kudos
yeowkm99
Contributor
In response to Debbie_FTNT

Created on ‎08-14-2022 06:50 PM

how do i make sure that the DNS changes are replicated more quickly ?

3154
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.