Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Doubt about FSSO timers

Hi experts,

 

I have a doubt about the "Workstation verify interval" and "Dead entry timeout interval":

 

 

1. So if user A closes his laptop without logging off, the collector will not be able to connect to the workstation and his status will change to "not verified". This will trigger the dead entry timeout interval and it will last 8 hours (by default) until the user is purged from the collector. If within this period of time an attacker connects his laptop with an static IP equals to that of the user A, now the collector will be able to connect to the workstation, the status will change to "OK" and the attacker will gain access to the network. Am I correct?

 

2. What happens when the "Workstation verify interval" is set to 0? The collector will not check if users are still logged on, but what will be the status of them?

 

3. What happens when the "Dead entry timeout interval" is set to 0? Will the users be never purge?

 

Regards,

Julián 

 

3 Solutions
Fishbone_FTNT

Hi Julian,

in case 1 attacker would use user's profile to access resources, based on your policy on the server. 8 hours of dead entry interval is safe default value, which would work for most networks well.

However you are not particularly right with status 'OK' transition. IP will stay 'Not Verified', because FSSO CA wouldn't be able to connect to the PC and check the user presence. In case the attacker exposes Windows WMI or RRA to the FSSO CA and it will be able to detect different user on IP, FSSO CA removes that logon entry immediately.

 

If workstation verify interval is set to 0 (case 2), nothing will update logon list. And it will be purged in "Dead Entry Timeout" time. It's not that obvious and there are technical reasons for  this. If "Dead Entry Timeout" is set to 0 (case 3), no entry would expire.

So if you want to disable that "workstation check thing", you need to set BOTH to 0. So: Dead Entry Timeout = 0 Workstation Check Interval = 0

 

Best practice is to: > install FSSO CA (basic options adjusting like IP change detect to few seconds, group cache, etc.) > tweak ignore lists (service accounts, RDP admins, etc) > tweak WMI or RRA so all workstations are checkable > tighten the timers: dead entry timeout to few minutes, workstation check interval

I've seen ~30k userbase networks with few seconds on IP change, few minutes on workstation check and some minutes on dead entry. So users were removed in 5 minute window.

 

Hth,

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

FortiKoala

The answer lies in the first part of the authentication process. The Fortigate is not providing authentication, rather it is simply using the Database provided by your domain controller. That means in order to access your internal network a client must first log into your Domain. Therefore if a user logs in successfully, and another user attempts to spoof their IP, they will still be required to authenticate against the Domain controller for Network access. Someone spoofing a valid users IP will still be challenged by the Domain Controller to Authenticate. Additionally, once authenticated, the FSSO service polls each client approximately every 5 minutes to verify the identity of the client connected. It does this by starting the remote registry service on your local host and verifying several pieces of information, including workstation name, against AD, and if the information is returned as invalid then the AD and therefore the Fortigate will view the client as unverified, and only allow guest level access (if configured in your ipv4 policies) or non at all. If your still concerned about the possibility of some kind of breach however, you can additionally modify the default value of the dead entry timeout interval to as little as five minutes. Although this may result in more frequent challenges for authentication depending on your configuration.

 

Because despite being authenticated and within the dead timer interval, the FSSO service still verifies the identity of the workstation by using IP, but also other information provided by AD, including host id. If any of this information is incorrect then Fortigate will treat the host as unverified, guest level at best or no access only.

View solution in original post

Fishbone_FTNT

1. Then when the CA checks is the workstation is alive, it checks not only the IP address of the workstation but also the current user logged on?

 

We have 2 processes in FSSO CA. One is "IP check" and the other is called "Workstation check". IP check is trying to resolve workstation name in logon list and reflect its changes.

Workstation check will query all IP addresses associated with workstation name in logon list. It is sufficient to one be successfully connected to make whole workstation OK (therefore authorizing also other IP addresses associated with workstation).   2. If workstation verify interval is set to 0 (case 2), nothing will update logon list --> But what will be the status of the users in the logon list? All of them will be OK? All of them will be Not verified?

IIRC they will be OK, but still they will be removed after dead entry expiry. There are technical reasons for that.   On the other hand you said "8 hours of dead entry interval is safe default value, which would work for most networks well." but best practices say "tighten the timers: dead entry timeout to few minutes". So is it recommended to reduce the dead entry interval?

 

 

You always need to have some sane default values.  If you think of it it would be troublesome to install FSSO CA with tight values from the beginning. If you go after security, you need to tweak your installation. This is like with everything.

It is recommended to to reduce intervals, provided you understand how it works and you know the implications. At the end you are the admin, and you would face false alarms and calls from users something doesn't work.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

View solution in original post

6 REPLIES 6
Fishbone_FTNT

Hi Julian,

in case 1 attacker would use user's profile to access resources, based on your policy on the server. 8 hours of dead entry interval is safe default value, which would work for most networks well.

However you are not particularly right with status 'OK' transition. IP will stay 'Not Verified', because FSSO CA wouldn't be able to connect to the PC and check the user presence. In case the attacker exposes Windows WMI or RRA to the FSSO CA and it will be able to detect different user on IP, FSSO CA removes that logon entry immediately.

 

If workstation verify interval is set to 0 (case 2), nothing will update logon list. And it will be purged in "Dead Entry Timeout" time. It's not that obvious and there are technical reasons for  this. If "Dead Entry Timeout" is set to 0 (case 3), no entry would expire.

So if you want to disable that "workstation check thing", you need to set BOTH to 0. So: Dead Entry Timeout = 0 Workstation Check Interval = 0

 

Best practice is to: > install FSSO CA (basic options adjusting like IP change detect to few seconds, group cache, etc.) > tweak ignore lists (service accounts, RDP admins, etc) > tweak WMI or RRA so all workstations are checkable > tighten the timers: dead entry timeout to few minutes, workstation check interval

I've seen ~30k userbase networks with few seconds on IP change, few minutes on workstation check and some minutes on dead entry. So users were removed in 5 minute window.

 

Hth,

Fishbone)(

smithproxy hacker - www.smithproxy.org

fjulianom

Hi Fishbone,

 

First of all thank you for your interest. Could you please clarify these doubts:

 

1. Then when the CA checks is the workstation is alive, it checks not only the IP address of the workstation but also the current user logged on?

 

2. If workstation verify interval is set to 0 (case 2), nothing will update logon list --> But what will be the status of the users in the logon list? All of them will be OK? All of them will be Not verified?

 

On the other hand you said "8 hours of dead entry interval is safe default value, which would work for most networks well." but best practices say "tighten the timers: dead entry timeout to few minutes". So is it recommended to reduce the dead entry interval?

 

Thanks a lot,

Julián

FortiKoala

The answer lies in the first part of the authentication process. The Fortigate is not providing authentication, rather it is simply using the Database provided by your domain controller. That means in order to access your internal network a client must first log into your Domain. Therefore if a user logs in successfully, and another user attempts to spoof their IP, they will still be required to authenticate against the Domain controller for Network access. Someone spoofing a valid users IP will still be challenged by the Domain Controller to Authenticate. Additionally, once authenticated, the FSSO service polls each client approximately every 5 minutes to verify the identity of the client connected. It does this by starting the remote registry service on your local host and verifying several pieces of information, including workstation name, against AD, and if the information is returned as invalid then the AD and therefore the Fortigate will view the client as unverified, and only allow guest level access (if configured in your ipv4 policies) or non at all. If your still concerned about the possibility of some kind of breach however, you can additionally modify the default value of the dead entry timeout interval to as little as five minutes. Although this may result in more frequent challenges for authentication depending on your configuration.

 

Because despite being authenticated and within the dead timer interval, the FSSO service still verifies the identity of the workstation by using IP, but also other information provided by AD, including host id. If any of this information is incorrect then Fortigate will treat the host as unverified, guest level at best or no access only.

fjulianom
New Contributor III

Hi Knowledge_Team_FTNT,

 

Thanks for clarifying and your good explanation!

 

Regards,

Julián

Fishbone_FTNT

1. Then when the CA checks is the workstation is alive, it checks not only the IP address of the workstation but also the current user logged on?

 

We have 2 processes in FSSO CA. One is "IP check" and the other is called "Workstation check". IP check is trying to resolve workstation name in logon list and reflect its changes.

Workstation check will query all IP addresses associated with workstation name in logon list. It is sufficient to one be successfully connected to make whole workstation OK (therefore authorizing also other IP addresses associated with workstation).   2. If workstation verify interval is set to 0 (case 2), nothing will update logon list --> But what will be the status of the users in the logon list? All of them will be OK? All of them will be Not verified?

IIRC they will be OK, but still they will be removed after dead entry expiry. There are technical reasons for that.   On the other hand you said "8 hours of dead entry interval is safe default value, which would work for most networks well." but best practices say "tighten the timers: dead entry timeout to few minutes". So is it recommended to reduce the dead entry interval?

 

 

You always need to have some sane default values.  If you think of it it would be troublesome to install FSSO CA with tight values from the beginning. If you go after security, you need to tweak your installation. This is like with everything.

It is recommended to to reduce intervals, provided you understand how it works and you know the implications. At the end you are the admin, and you would face false alarms and calls from users something doesn't work.

 

Fishbone)(

smithproxy hacker - www.smithproxy.org

fjulianom

Great explanation Fishbone!

 

Many thanks,

Julián

Top Kudoed Authors