Hi, on Fortigate 100D ver 4.x we used a FSSO with FSSO Agent installed on Active Directory server with no trouble. After change firmware to 5.2 and FSSO Agent to 4.3.0159, users started complain about websites: sometimes websites opened and sometimes not. I decided to change SSO method to Polling. I configured everything with no luck. no users are shown in User & Device -> Monitor -> Firewall -> Show all FSSO Logons. The " diagnose debug authd fsso server-status" command shows only " Local FSSO Agent" !! which is not visible under User & Device -> Single Sign-On (I even deleted everything I created before): LDAP test: pass. When I add a SSO, the status is always grey X mark.
FGT60B, FGT100A, FGT100D
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Solved by
Execute Fsso Refresh
add Selected group from FSSO agent @ AD
add Selected group from Single sign on @ Fortigate FW
Done
FGT60B, FGT100A, FGT100D
Same Issue any update !!!
Solved by
Execute Fsso Refresh
add Selected group from FSSO agent @ AD
add Selected group from Single sign on @ Fortigate FW
Done
solved
via cli
FORTI # show user fsso config user fsso edit "Local FSSO Agent" set ldap-server "LDAP_DA" set server "127.0.0.1" next end FORTI # config user fsso FORTI (fsso) # delete Local FSSO Agent
Hi
First please stick to FSSO DC Agent Mode only (Forget Polling mode). Please do not have any LDAP Dependencies.
Firstly check "Currently Logon Users" in Collector Agent. Then check Group Filters in Collector Agent.
Finally check if FSSO Users are appearing in User >> Monitor >> Show FSSO Logons.
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Dipen is right on the money. The collector is way better of a system imho.
To answer your question - this is just from what i have seen - The local FSSO agent on the fortigate is used in polling mode. It seems the fortigate itself will function as a collector server polling AD much like a collector would to the agents. Without the agent this method works, but it seems a little more solid with collector server and agents deployed.
As for the gray X, this was happening to me in polling mode too. The issue was my FSSO service account which i did not want to make a domain admin was not added to the "Event Log Readers" group. The LDAP test would pass but it would not have permissions to pull logon events from LDAP servers it is polling.
All that said, I suggest the collector and agent mode. Both will work but I have seen better results and have heard more positive feed back from the collector and agents.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.