- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO agent
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO agent
It is to my understanding that the FSSO agent does not need to be installed on Domain Controllers, but can be installed on Member servers as well. We are moving our domain controllers to server core.
Now the old FSSO agents are installed on the domain controllers which still have the GUI installed. Within the FSSO agent we see that Poling mode is enabled. We can see the old DC's and the new DC's in the "Show Monitored DC's". We can select the newly installed server core's and join them in the monitored DC list. We can also see that the Collector agent is pulling events from these newly provisioned DC's.
Eventually the OLD DC's (with GUI) will need to be demoted, where we are forced to move the FSSO agent to other machines. Now I have installed the FSSO agent on two member servers, however we fail to get any logon events. I can select the DC's in the Monitored DC list, but no events are coming in. I have verified that the service is running under the service account and have verified that the service account is able to retrieve Security logs from the domain controllers. Besides this, the same service account has been used as in the old configuration. I have also verified the Ports in which the members server can communicate with the DC's on ports 445 and 3298(GC). Also verified that the member server where the new collector agent is installed is listening on Port 8000TCP and 8002 UDP. We also noticed that the CollectorAgent log file is not created on the new installations, but see following event appearing in the CAMonitor log file:
11/22/2023 12:20:46 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:20:56 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:06 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:16 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:26 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:47 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:21:57 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:07 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:17 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:27 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:37 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:48 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:22:58 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:08 [ 5504] unknown message received:86 len:268435456
11/22/2023 12:23:18 [ 6868] unknown message received:86 len:268435456
Any advice would be greatly appreciated.
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually, no logfile is created if the service account has no permissions to the registry. If you refer back to the KB above with service account permissions, you should see in it details on what registry permissions the account needs; if those are not in place a lot of features will not work because the service account cannot access relevant registry keys.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, now i am completely stumped. The fortigate service account under which the service is running is member of the administrators group, and has therefore full controll over the registry \HKLM\Software\WOW6432Node\Fortinet\FSAE\collectoragent
i have add the account explicitly and now i can receive logs, however no log file is created
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm honestly also stumped - I would want to do a remote session to see it live and dig into it in greater detail, but that's not something we can do over a forum thread, so if the lack of log file is of concern (and I would consider it concerning, as troubleshooting is nearly impossible without it), I would suggest opening a support ticket.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ensure that fortigate service account has RW permission on the agent folder in order to write logs in there.
On the other hand I'd suggest to try upgrade your agent to a new version to avoid possible old bugs.
AEK
AEK
Created on 11-28-2023 08:55 AM Edited on 11-28-2023 08:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows permissions can be a mess.
Whenever in doubt (such as right now), remember that you can go to Security/Permissions > Advanced > Effective Access > pick the exact service account, and check what permissions it actually has. This is applicable both to the folder and to the registry key.
[ corrections always welcome ]
- « Previous
-
- 1
- 2
- Next »
Related Posts
Labels
-
FortiGate
6,670 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.