Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bca
New Contributor

FSSO user entry removed on Collector Agent but not on Fortigate

Hello everyone

 

I'm currently facing a problem with FSSO dead entry detection.

When one user disconnects from his workstation, the dead entry is correctly detected on the Collector Agent after the dead entry timeout  interval has elapsed, which removed the entry from logon user lists on the collector agent.

However, the entry isn't removed from the firewall on section "Firewall User Monitor".

 

 Am I missing a parameter for login database synchronisation between collector agent and Fortigate ?

 

I'm running FortiOS 5.6.5 version on ESX VM, and my corresponding Collector Agent is running on Win7 Service Pack 1.

 

Thank you per advance for your feedbacks.

 

Best regards

 

Benjamin

3 REPLIES 3
Fishbone_FTNT

Hi Benjamin,

your undestanding is correct, if dead entry is expired, it's removed and notification of fsso logoff is send out to all interested Fortigates.

That being said, logon lists from CA must be in sync with fsso list (and also firewall auth list) on Fortigate automatically. If they are not, something is wrong.

 

I would suggest to investigate problem further with authd debug enabled on Fortigate to see what's up there once such a logoff message is received + making correlation with FSSO CA debug level logging.

 

-Fishbone

smithproxy hacker - www.smithproxy.org

bca

Hello Fishbone

 

Thank you so much for your time and interest on this.

I'll try to figure out what is going on there.

 

BR

 

Benjamin

bca
New Contributor

Hello Fishbone

 

Problem solved, i had information that Win7 which isn't a supported platform for CA installation.

Now the CA is directly installed on my Win2k8 DC server and logoff is correctly updated on Fortigate when dead entry occurs.

 

Thank you for your help.

 

BR

 

Benjamin 

Top Kudoed Authors