Hi @xsilver_FTNT:

I am having problems with the authentication mode FSSO Agent DC and Active Directory WinSRV2016.

Although the users are registered in the FW User Monitor and the policy is applied well according to the group, after a few minutes working on the computers, the users are left without an Internet connection. So far I can only fix by logging out of Windows and logging back in. In this way users navigate again.

Does anyone know what this condition is due to? Any extra parameter to modify in the Agent?

I am attentive to your answers

Thank you !!

So user logs in OK, he is recognized by FSSO and allowed by policy on FGT accordingly, but after some time, like 5 minutes, he is unable to pass through same policy.

First check if workstations' IP is still in FSSO list. Basically looking for the state where source IP from which user was known before, is still listed.

If not, then user was removed. Set FSSO Collector log to debug level and check what happened when user was removed. If it was some logout event (WMI), or some over-tweaked workstation check. As failed Workstation check will put record to dead entry and respective timer (settable on FSSO Collector) will start ticking. If that timer ticks out, the record is removed as Collector was unable to determine if user is still logged in. Workstation check can be disabled, but then workstations will be listed till their user logs out (and WMI event is spotted) or indefinitely, which is insecure a bit. Checks might use Remote registry service (which is by default disabled on WKS and needs to be enabled), but I would suggest to use WMI which collector should use when WMI is enabled in Advanced settings and for example WinSec+WMI is used to collect SSO data from DC. WMI is by default running service on any Win2000+ MSFT OS, and uses port 445. So next step is also to check that 445 communication from Collector to workstations is allowed and not blocked by some intermediate firewall or by some security app on workstations itself.

If yes, so it is still listed, then there is most probably another user, not the same as before, and his group-membership driven access rights do not allow previous access level. This is most usually caused by some background operations/application and service processes which "Run as" as different user. And as those operations are authenticated and authorized by domain, then there are logon events as if made by regular user. So put those service accounts to Ignore List on DC Agent and their logon events will not propagate to FSSO.

Last possible reason is when workstation do have more than single NIC (network connection) and so IP address changes. Also it might be caused by broken DNS as by default Collector track IP changes via DNS queries, but if correct A record for name is not found or IP is incorrect, then it will cause issues in FSSO. Wrong IP will cause change of SSO record, but as workstation will originate traffic from old/same IP as before it will not match "new" IP learned from DNS anymore, for example.

I am facing the same problem FSSO user verified but the internet is not working.

I have FSSO agent installed on DC , Status Running and perfect.

I have FSSO Fabric Connector up and running.

I have FSSO Login Logs from Users.

I have FSSO IPV4 Policy to route the AD Group working.

FSSO confingure in DC agent mode.

Please help.

@yuviraj911, 

we have already responded to you in your forum thread:
https://community.fortinet.com/t5/Support-Forum/FSSO-user-verified-but-internet-is-not-working/td-p/...