FSSO, User Events and Forward Traffic Log

EntitledSuperUser · ‎09-02-2016

Hi,

I am having some issues showing authenticated users on my Forwarding Traffic Log, they show as Unauthenticated by user Source forticlient. I checked most of the posts in here in regards of FSSO and learned a bit of the diagnose debug commands but I still couldn't figure out what my issue is.

Site info:

Windows 2012 R2 DC with DC Agent installed

LDAP server configured

Citix XenDesktop machines (at least 10 users per machine) with FortiClient installed with Telemetry profile pointing to the Fortigate

When I check the the Logs & Report > User Events I see a lot of entries like:

User: mytestuser

Action: FSSO-logon

Messages: FSSO-logon event from MYDOMAINCONTROLLER:user MYTESTUSER logged on 172.X.X.X

Lots of those messages from all my users, which I can only assume that I got FSSO working, however, when I go to the Forward Traffic Log under the Source column I see

Source: MYTESTUSER 172.X.X.X

Ok, it mapped the user to the server, that's cool, but when I check the Details pannel it says:

Unauthenticated user: MYTESTUSER

Unauthenticated User Source: forticlient

When I do

diagnose debug authd fsso list

The list shows a bunch of my users

diag debug fsso-polling detail AD Server Status: ID=1, name(172.x.x.x),ip=172.x.x.x,source(security),users(20) port=auto username=mydomain\myuser read log eof=1, latest logon timestamp: Fri Sep 2 14:28:28 2016

polling frequency: every 10 second(s) success(1763), fail(0) LDAP query: success(308), fail(0) LDAP max group query period(seconds): 1

Number of users logged in: Within 1 sec: 3(15.00%) Within 1-5 secs: 9(45.00%) Within 5-10 secs: 8(40.00%)

Group Filter:

The AD groups that I specified.

diagnose debug authd fsso list

Shows a list with a bunch of my users

diagnose debug authd fsso server-status

Shows nothing....

The DC Agent I configured all my Citrix Servers under the Agent Advanced Settings. The Group Filter is configured from the Fortigate.

The Agent Collectors on the Citrix Severs is pointing to the DC Agent.

If I check the Show Logon Users is shows all my users

Show Monitor DCs shows the Citrix Servers that have the agents installed and DCs

Set Directory Access information is set to Advanced

I don't know what else am I missing.

EntitledSuperUser · ‎09-08-2016

So I got it to work by starting from scratch. This is what I did (maybe in not this exact same order)

I am using two domain controllers for this, not sure if it matters but this is my scenario

[ul]

Created one LDAP connection (Domain-1).

Created two Single Sign-On Connection: one connection (Domain-1) is a Poll Active Directory Server one that uses the LDAP server created above, so the IP and the LDAP server are the same (Domain-1). The other connection (Domain-2) is Fortinet Single-Sign-on Agent one, this uses the IP of my other DC but it uses the LDAP server from before (Domain-1); in this connection I selected the groups I want to monitor.

Installed the agent on Domain-2 (you have to reboot the server). I configured the following in here:[ul]

Monitor user logon events and Support NTLM Authentication

Show Monitor DC – Select DC to monitor – Selected Polling Mode using WMI and checked all my DC.

Set Directory Access Information to Advanced. In the Advanced settings I just enter the LDAP info (Domain-2)

Set Group Filters – it pulls the info from the FortiGate so I didn’t touch anything.

In my case because I am monitoring Citrix XenDesktops VMs I went to the Advanced Settings under the Citrix/Terminal Server tab and specified all the Citrix servers I am monitoring. I also installed the TS Agents on these servers and specified the Fortinet SSO Collector Agent IP/Port to be Domain-2:8002[/ul]

In the Fortigate under User & Device – Single Sign-On I can see that the status for both Domain-1 and Domain-2 are green.[/ul] [ul]

Under User & Device – User Groups – I created an FSSO Group and added the Active Directory members that I specified when I created the Single-Sign-On connection (Domain-2).[/ul] [ul]

Under IPv4 Policy I created another policy (User to Internet) on top of an existing policy (Lan to Internet) that allows my internal network to access the internet. I originally tried to edit the Source of my existing policy and add the FSSO group in there, however this caused some devastating issues because the users were not being authenticated and thus were not able to access the internet. So, if you make a new policy and put it on top of the existing one in the event that users don’t authenticate it will move to the next policy and still give them internet access.[/ul]

The new policy I created has as the source an Address Group I created for my Citrix Servers and the FSSO group. I enabled the option to Log All Sessions. Once I got all this to work I enabled IPS, DLP, AV, Web-Filter, CASI. Once all that was working I enabled SSL/SSH Inspection.

Log & Report – User Events is your friend. Forward Traffic Log if you see the user and the icon is blue means that it was authenticated, if it is red it wasn’t.

xsilver_FTNT · ‎09-14-2016

well done and described!

One side note: If I got it correctly then FSSO polling from FortiGate unit is probably used. I would suggest to rather use standalone Collector Agent installed on a DC (preferred) or on any domain member machine (needs access to domain data). It is more robust and flexible. Local poller from FortiGate uses authd and in bigger networks might utilize CPU of the FortiGate quite a lot, causing performance issue at worst case scenario.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff