Hello,
I find out a not so happy behaviour on the FSSO Controller Agent that makes some troubleshooting harder.
For example: a user logs in at time 10:14 and is working on his workstation. When I check the FSSO Logon Users at 10:27 I can see that the user is logged in with status OK. If I check the status one minute later the user is not in the list. But the user is still on the FortiGate. A few seconds later the user is in the list again with the logon time 10:14 as at the begining. After some time the user is missing until the next logon.
Is this a correct behaviour?
I checked it in the lab with 3 users with the same results.
Also when the user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector Agent. Some time later the same user is missing on the second Collecotr Agent also.
On the FSSO logs I can see logs like:
check_ip_wmi: ConnectServer() failed, server:\\192.168.221.100\ROOT\CIMV2 error code:0x800706ba
wksta_check: workstation has no valid IP address: CL01W10.LAB.DOMAIN.COM
CL01W10.LAB.DOMAIN.COM:TOMH[0.0.0.0:0.0.0.0] removed.
Why the worksation check failed? DNS registration, port 445 and Remote Registry is enabled - otherwise the status after a short time would be Not Verified.
The log 2 minutes before shows:
wksta_check: workstation has no valid IP address: CL01W10.LAB.DOMAIN.COM
DNS_lookup: workstation:CL01W10.LAB.DOMAIN.COM ip changed from 0.0.0.0:0.0.0.0 to 192.168.221.100:0.0.0.0
I do not understand what is happening.
Another question: Would the user log entry be removed when the user leaves the workstation and locks his screen?
Collector Agent and DC Agent version is: 5.0.0254
AtiT
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi AtiT,
User missing from the list.
- I guess that list mean 'Show logon Users' on Collector
- turn log to debug level and Collector will tell you why is the user gone
'user disappears from the primary FSSO Collector Agent it is still in the list on the secondary Collector'
- this is actually normal situation, as there is no sync (or any sort of clustering) between collectors
- every single collector makes his own idea about logged on users and due to processing delays and timers it might happen that list and total amounts of logged on users slightly differs between the collectors even when they handle the very same DCs/Domain.
'check_ip_wmi: ConnectServer() failed, server:\\192.168.221.100'
- that Collector does uses WMI MSFT API to check stuff and mentioned server cannot be questioned via WMI
- why? could be misconfigured WMI (or even missing WMI support but it should be supported since Win2000), also it could be that user under which Collector runs has not enough access rights to contact WMI.
- it might also appear that 192.168.221.100 is not a Windows machine, but some MacOS with domain conenctor, which generates 4624 logon event ID in DC and FSSO will process it (WinSec/WinSecWMI polling), and MacOS most probably wont respond on WMI.
- That's why general recommendation is to INSTALL and RUN Collector under Domain Admins group member account
'wksta_check: workstation has no valid IP address'
- that's workstation check done through Remote Registry Service (not WMI as in previous log)
- so it looks like your system is capable to do Remote Registry but not WMI
- check WMI and OS versions or disable WMI on Collector ..
-- if polling then use WinSec instead of WinSecWMI
-- in Advanced Settings / General / Workstation Check / uncheck option 'Use WMI to check user logoff'
kind regards,
tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
The WMI sesttings helped me, now it is working as expected.
Thank you very much!
AtiT
Hi all, I'm having the same difficulties using the CA (without dc agent). The service account is member of the event log readers group. The agent status is showing multiple logon events with correct timestamps. But, no user logons are listed on the agent. What can be the cause of this issue? CA 5.0.0271 is installed on a non DC and polling the DC using regular event log polling method.
Any help would be greatly appreciated!
Kind regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.