Hi Team,
I am not sure if this is a feature limitation or if my config is incorrect but in my test setup where I am using a Fortigate eval VM to test FSSO, it doesnt work.
I can see that the user logons are pushed to the Fortigate from the DC server but the debug logs show that there is no firewall policy match. Could someone please let me know if I am missing something here.
LDAP server IP - 10.1.1.100
windows user IP - 10.1.2.2
username - palouser02
Below are the outputs of some debug commands.
==================================================================
FGVMLAB-BRANCH-002 # diagnose debug authd fsso server-status
Server Name Connection Status Version Address
----------- ----------------- ------- -------
FGVMLAB-BRANCH-002 # 10.1.1.100-AD connected FSSO 5.0.0311 10.1.1.100
FGVMLAB-BRANCH-002 # diagnose firewall auth list
10.1.1.100, PALOADMIN
type: fsso, id: 0, duration: 804, idled: 195
server: 10.1.1.100-AD
packets: in 109 out 145, bytes: in 9788 out 20680
group_id: 33554454 33554482 33554472 33554469 33554450 33554481
group_name: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
10.1.2.2, PALOUSER02
type: fsso, id: 0, duration: 194, idled: 124
server: 10.1.1.100-AD
packets: in 121 out 138, bytes: in 35644 out 32440
group_id: 33554454 33554433 33554481
group_name: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
----- 2 listed, 0 filtered ------
FGVMLAB-BRANCH-002 # diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.1.100 User: PALOADMIN Groups: CN=PALOADMIN,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,DC=PALOLAB,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL Workstation: WIN-LR3E3D2455G MemberOf: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
IP: 10.1.2.2 User: PALOUSER02 Groups: CN=PALOUSER02,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,DC=PALOLAB,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL Workstation: TESTPC02 MemberOf: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
FGVMLAB-BRANCH-002 # show user fsso
config user fsso
edit "10.1.1.100-AD"
set server "10.1.1.100"
set password hTvrwnPSZZZokhz7mPbaySlQQ==
next
end
FGVMLAB-BRANCH-002 # show user group LDAPSERVER-DOMAINUSERS-GROUP
config user group
edit "LDAPSERVER-DOMAINUSERS-GROUP"
set member "ldapserver-10.1.1.100"
config match
edit 1
set server-name "ldapserver-10.1.1.100"
set group-name "CN=Domain Users,CN=Users,DC=palolab,DC=local"
next
end
next
end
FGVMLAB-BRANCH-002 # get sys arp
Address Age(min) Hardware Addr Interface
10.1.2.2 0 0c:35:93:7b:00:00 port2
FGVMLAB-BRANCH-002 # 2024-05-10 04:43:34 id=65308 trace_id=1 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=1, 10.1.2.2:1->104.26.8.216:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=5262."
2024-05-10 04:43:34 id=65308 trace_id=1 func=init_ip_session_common line=6028 msg="allocate a new session-000009eb, tun_id=0.0.0.0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_check line=5303 msg="in-[port2], out-[]"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_check line=5315 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-192.168.122.1 via port1"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_fwd_check line=794 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-100004, check-00000000ef14c8d9"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
2024-05-10 04:43:34 id=65308 trace_id=1 func=get_new_addr line=1239 msg="find SNAT: IP-192.168.122.242(from IPPOOL), port-60418"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_user_identity_check line=1833 msg="ret-no-match"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_user_identity_check line=1833 msg="ret-matched"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-0 is matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2324 msg="gnum-100004 check result: ret-matched, act-drop, flag-08010800, flag2-00004000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-3, check-00000000ef14c8d9"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-4294967295 is matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2324 msg="gnum-3 check result: ret-matched, act-drop, flag-00000020, flag2-00000000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_policy_group_check line=4730 msg="after check: ret-matched, act-drop, flag-00000020, flag2-00000000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_auth_check line=879 msg="iprope_auth_portal_check() result: ret-matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=fw_forward_handler line=835 msg="Denied by forward policy check (policy 0)"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @austinmas1987,
Does it happen to other users/computers? Is port1 under SDWAN_UNDERLAY? Does it work if you remove the group from the policy?
Regards,
Hi,
There is only user to test with. I will setup a new user and see how it goes.
Internet works when group is removed from the policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.