Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mitch111
New Contributor

FSSO Advanced Mode does not work (sometimes)

Hi,

 

im using OS 5.2.10 in my Firewallcluster, i have 2 DC with a Windows2012 Domain, everyone got the Forti SSO Agent in Version 5.0.244 installed. Basicly it is working. But sometimes the users have no Access to the Internet, this occure only at Laptop and PC User, our Terminaluser (with TSAgent) didnt have any issue.

 

I have set the Log to Debug Mode and found that

 

07/05/2017 16:56:06 [ 1896] not in filter: last user:dreimann user:dreimann

 

07/05/2017 16:56:06 [ 1896] not  infilter:lastgroup:CN=dreimann,OU=Inhaus_WO_keinCOS,OU=Inhaus_WO,OU=Inhaus_Laptop,OU=Win_Clients,OU=Users_Computers,DC=xxxx,DC=wortmann,DC=com+OU=Inhaus_WO_keinCOS,OU=Inhaus_WO,OU=Inhaus_Laptop,OU=Win_Clients,OU=Users_Computers,DC=xxxx,DC=wortmann,DC=com+OU=Inhaus_WO,OU=Inhaus_Laptop,OU=Win_Clients,OU=Users_Computers,DC=xxxx,DC=wortmann,DC=com+OU=Inhaus_Laptop,OU=Win_Clients,OU=Users_Computers,DC=xxxx,DC=wortmann,DC=com+OU=Win_Clients,OU=Users_Computers,DC=xxxx,DC=wortmann,DC=com+OU=Users_Computers,DC=xxxxx,DC=wortmann,DC=com+CN=Domänen-Benutzer,CN=Users,DC=xxxx,DC=wortmann,DC=com+CN=AS/400_Benutzer,CN=Users,DC=xxxx,DC=wortmann,DC=com+CN=Office-Vorlagen,OU=office,OU=Benutzergruppen,DC=xxxxDC=wortmann,DC=com+CN=mca,CN=Users,DC=xxxx,DC=wortmann,DC=com+CN=sonicwall,CN=Users,DC=xxxDC=wortmann,DC=com+CN=proxy_full_http_access,OU=proxy,OU=Benutzergruppen,DC=xxxx,DC=wortmann,DC=com+CN=notebookuser,CN=Users,DC=xxxx,DC=wortm...

 

07/05/2017 16:56:06 [ 1896] not in filter: last user:dreimann user:dreimann

 

I suggest not in Filter means this User is not in the AD Group (but she is) if she log off and on it works, the user is in 45 Groups, maybe thers a max Group Check ? u see the "..." at the end of the Group lookup, this is going through all of our Users.

 

Any Hints ?

 

 

Cheers

 

Michael

 

 

 

1 REPLY 1
xsilver_FTNT
Staff
Staff

Hi Michael,

 

'not in filter' basically mean that FSSO Collector got info about the user, but user does not belong to any group filtered for any connected FortiGate.

In details user's group membership (MemberOf) might contain many groups (user is member of many) but none of the groups is used in Group Filter on Collector for any FortiGate.

If you run Collector in Advanced mode, then Collector resolve group membership in LDAP format (CN=usergroup,OU=..) and not in MSFT native (DOMAIN/GroupName). Therefore group filters and records in 'config user adgrp' on connected FortiGate units has to be in LDAP format as well, to match.

It's a string match so apy attention to blank spaces, special characters in group names (avoid those if possible) or hidden 'enter' (breakline) characters in the strings.

Users from groups set in filters are rpocessed and the event logs of users not matching any filter are not processed any further and discarded on Collector side.

 

If you equip FSAE/FSSO Agent on the FortiGate with the LDAP it will allow you to choose groups directly from FortiGate (via help of that built-in LDAP browser, and that's the only role of LDAP in FSSO Agent) and such selection is then pushed to Collector as per-FortiGate's-SerialNumber filter. Just for that SINGLE FortiGate unit.

If you'd like common filters global for multiple FortiGate's, then define the filter on Collector and tick that 'Default filter' checkbox and such filter will be then used for any connected FortiGate, unless it will override with it's own one.

 

So first make sure user truly IS member of filtered (and therefore processed) group. At least one.

That default filter is also possible workaround to make sure the user will always be processed. But it makes not much sense if there is no FortiGate behind using that filter. So it's more like test setup if Collector can handle the user for me.

 

kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors