Hello Farroo,

first about the 5.2.10

("This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version.")

FortiGate is a security device and its purpose is to protect. Old firmware versions, that are note supported anymore,  can be (are) vulnerable to various vulnerabilities. Insecure security device loses it's purpose. Firmware needs to be up to date.

To the FSSO issue > which AD version customer has?

Do you monitor user groups who's users logons are expected to be seen?

Which Windows Security Logon Events are generated by users logons?

Alivo

Hi everyone, 

I have the same problem - not seeing logged on users in Fortigate.

I'm in testing mode for now: one DC, and using my domain user for testing traffic. 

I have a 200E and firmware v5.6.5 build1600.

I configured LDAP server and SSO, I can see the AD tree and select my user - that has been added to the user group I use on the policy.

The domain user I'm using to configure LDAP and SSO, is not a domain admin - should it be?

I see no message in CLI with debug commands.

FW # diagnose debug authd fsso server-status

FW # 

Server Name      Connection Status     Version               Address

-----------      -----------------     -------               -------

Local FSSO Agent            connected         FSAE server 1.1       127.0.0.1

FW # diagnose debug authd fsso list

----FSSO logons----

Total number of logons listed: 0, filtered: 0

----end of FSSO logons----

The traffic is not matching my policy, there is no hit.

As far as I understand there is no need to install FSSO Collector on a domain server for polling mode configuration.

thank you,

have a nice day,

Catalin

Hi Catalin,

FortiGate can poll DCs for logon events directly, however standalone Collector Agent offers much more.

To debug local polling from FortiGate ..

2. do you see any users or you see 0 user ? FGT-VM64-1 (root) # diag debug fsso-polling user FSSO: vd index(0), AD_Server(192.168.32.21), Users(0)

3. if zero users, what is the poller status ? do you have AD connected ? do you have successful pollings ? does your user in AD fit in group filter ?

FGT-VM64-1 (root) # diagnose debug fsso-polling detail AD Server Status: ID=1, name(192.168.32.21),ip=192.168.32.21,source(security),users(0) port=auto username=Administrator read log offset=1370140, latest logon timestamp: Wed Jun 4 15:43:25 2014

polling frequency: every 10 second(s) success(5043), fail(0) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 Total max polling period(seconds): 1 most recent connection status: connected

Group Filter: CN=group1,CN=Users,DC=XSILAB,DC=int+CN=group2,CN=Users,DC=XSILAB,DC=int

4. check security log on DC/AD try to log off and log in with test (known) user account from test workstation (known NetBIOS name and IP .. from ipconfig /all). do you see user logon events ? what eventID do you see, are those eventID in the list below so FSSO poller can read those ? We mostly use Kerberos logon events as they contain all the info we need, we do not monitor all logon eventIDs as not all of them contain required info about user and workstation. For Win2K8 we use EventID: 4768, 4769, 4776 and for Win2K3 EventID: 672, 673, 680.

I encounter same issue as yours if using "Fabric Connectors/Poll Active Directory Server" on 6.2.3

Once I change to "Fabric Connectors/Fortinet Single Sign-on Agent"

I don't have any problem at all, but you must upgrade your OS to 6.2.3

Local polling from FortiGate is quite different then standalone Collector Agent.

Differences has been discussed here in forum many times.

KB with short differences is here https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38897

@nbctcp You can try to read outputs of:

di de application fssod -1 di de application smbcd -1 when you login to domain with your user.

Best Regards,

Alivo

SW INFO:

-FORTIOS 6.2.3 kvm eval key

-WIN2008 as AD Server

STATUS: -Security Fabric/Fabric Connectors/Active Directory Connector shown red arrow down

# di de application fssod -1 # di de application smbcd -1 Debug messages will be on for 30 minutes.

FGT1 # smbcd: daemon debug level set to [16777215] smbcd: SMB library debug level set to [8] smbcd: smbcd_process_request:968 got cmd id: 6 smbcd: smbcd_process_request:981 got rpc log field. smbcd: smbcd_process_request:993 got rpc username: administrator smbcd: smbcd_process_request:999 got rpc password: XXXXXXXX smbcd: smbcd_process_request:1003 got rpc port: 0 smbcd: smbcd_process_request:1009 got rpc logsrc: security smbcd: smbcd_process_request:987 got rpc server: 10.0.3.2 smbcd: smbcd_process_request:1036 got VFID, 0 smbcd: smbcd_process_request:1140 got rpc eventlog read command smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED) smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source [handle_reply:491] wrong format of data status. len 8 <> 4.

config user ldap edit "DC1" set server "10.0.3.2" set cnid "cn" set dn "dc=ngtrain,dc=com" set type regular set username "cn=administrator,cn=users,dc=ngtrain,dc=com" set password Password next end

config user fsso edit "Local FSSO Agent" set server "127.0.0.1" next edit "DC1" set server "10.0.3.2" set password Password next end

config user fsso-polling edit 1 set server "10.0.3.2" set user "administrator" set password Password set ldap-server "DC1" config adgrp edit "CN=HR,CN=Users,DC=ngtrain,DC=com" next edit "CN=IT,CN=Users,DC=ngtrain,DC=com" next edit "CN=SALES,CN=Users,DC=ngtrain,DC=com" next end next end

Pavel_Livonec_FTNT wrote:

@nbctcp You can try to read outputs of:

 

di de application fssod -1 di de application smbcd -1 when you login to domain with your user.

Best Regards,

Alivo