Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kcerb
New Contributor III

FSSO in 5.2 problem

Hi, on Fortigate 100D ver 4.x we used a FSSO with FSSO Agent installed on Active Directory server with no trouble. After change firmware to 5.2 and FSSO Agent to 4.3.0159, users started complain about websites: sometimes websites opened and sometimes not. I decided to change SSO method to Polling. I configured everything with no luck. no users are shown in User & Device -> Monitor -> Firewall -> Show all FSSO Logons. The " diagnose debug authd fsso server-status" command shows only " Local FSSO Agent" !! which is not visible under User & Device -> Single Sign-On (I even deleted everything I created before): LDAP test: pass. When I add a SSO, the status is always grey X mark.

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
1 Solution
Hassan_Fahmy
New Contributor II

Solved by 

Execute Fsso Refresh 

add Selected group from FSSO agent @ AD 

add Selected group from Single sign on @ Fortigate FW

Done 

View solution in original post

6 REPLIES 6
kcerb
New Contributor III

OK, the greyed-out X mark solved: User must be " Administrators" group member. Now I can see users in monitor, but I can not see members of default " Domain users" group. This group is of course mapped in " User & Device -> User Groups" Does anybody have some idea about that?

FGT60B, FGT100A, FGT100D

FGT60B, FGT100A, FGT100D
Hassan_Fahmy
New Contributor II

Same Issue any update !!!

 

 

Hassan_Fahmy
New Contributor II

Solved by 

Execute Fsso Refresh 

add Selected group from FSSO agent @ AD 

add Selected group from Single sign on @ Fortigate FW

Done 

daac

solved

 

via cli

 

FORTI # show user fsso config user fsso     edit "Local FSSO Agent"         set ldap-server "LDAP_DA"         set server "127.0.0.1"     next end FORTI # config user fsso FORTI (fsso) # delete Local FSSO Agent

Dipen
New Contributor III

Hi

 

First please stick to FSSO DC Agent Mode only (Forget Polling mode). Please do not have any LDAP Dependencies.

Firstly check "Currently Logon Users" in Collector Agent. Then check Group Filters in Collector Agent.

Finally check if FSSO Users are appearing in User >> Monitor >> Show FSSO Logons.

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
raffi
New Contributor

Dipen is right on the money. The collector is way better of a system imho.

 

 

To answer your question - this is just from what i have seen - The local FSSO agent on the fortigate is used in polling mode. It seems the fortigate itself will function as a collector server polling AD much like a collector would to the agents. Without the agent this method works, but it seems a little more solid with collector server and agents deployed.

 

As for the gray X, this was happening to me in polling mode too. The issue was my FSSO service account which i did not want to make a domain admin was not added to the "Event Log Readers" group. The LDAP test would pass but it would not have permissions to pull logon events from LDAP servers it is polling.

 

All that said, I suggest the collector and agent mode. Both will work but I have seen better results and have heard more positive feed back from the collector and agents.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors