- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate FSSO Agent - Logon/Logoff events
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate FSSO Agent - Logon/Logoff events
I have configured FSSO for a client in conjunction with and explicit proxy on a Fortigate FW and works well. Testing has highlighted a potential issue I wasn't aware of, in that when a user locks their workstation, the FG is sent a logoff event from the collector agent. Result of this is that the workstation can no longer authenticate through the explicit proxy as there is no user/IP entry due to the logoff event. Obviously whilst the workstation is locked the user doesn't need to browse the web, however the logs show that applications are still trying to access the internet, such as MS Office365 but are being denied.
When the user unlocks the workstation a logon event is sent to the FG and the user can browse again through the proxy. There seems to be a small delay in the FG getting the logon event and then authenticated through the proxy, which impacts the user experience.
I've been searching to find out whether this is expected behaviour but can't find anything related. Windows event IDs for workstation lock/unlock are 4800 and 4801 but these aren't monitored from what I can see.
Does anyone know if there is any way of preventing this behaviour occurring with the lock/unlock causing logoff/logon events?
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
Most likely if you specify only the logon events (instead of 0, 1, 2) you won't have the users logged off anymore.
Check what are the correct IDs for your server OS.
6) Logon Event ID poller. Increase the level to '2' instead of '0' of visibility of LOGS in all the FSSO-CAs, On the main screen of the FSSO-CA.
Select Advanced Settings -> Windows Security Event Logon -> Event IDs to poll.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FSSO-Complete-troubleshooting-for-TA...
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was looking at this earlier, although I'm not sure which events are causing the logoff in the Fortigate FSSO logs and user event logs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The behavior you observed with FSSO on Fortigate can occur due to how FSSO detects user logon/logoff events. Here are potential solutions:
- Check FSSO Event Monitoring: Ensure FSSO isn't misinterpreting lock/unlock events as logoff/logon events.
- Use Polling Mode: Consider switching to polling mode where FSSO polls domain controllers for logon sessions, reducing false logoff detections.
- Adjust Session TTL: Increase the session Time-To-Live on Fortigate to give users a longer grace period.
- Update Collector Agent: Ensure the FSSO collector agent is up-to-date and correctly configured.
- Debug: Check Fortigate's debug logs for insights into logon/logoff event processing.
- Contact Fortinet: If issues persist, reach out to Fortinet support or their community forums.
Always ensure changes made don't compromise security.
Siddhanth Poojary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO has never monitored logoff events in the domain, and to my knowledge also does not interact with locking events.
The immediate trigger for the logoff will be identifiable from the Collector's logs, but as they are quite unreadable for an untrained eye, I would recommend reaching out to TAC for assistance with this.
(I am assuming basic FSSO with either event log parsing or DC Agents; if you're using TS Agents or FSSOMA (mobility agent feature of FortiClient), let us know)
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is basic FSSO with CA and DC Agents. How does the FG get informed of a logoff event if it is not monitoring logoff events, must be some information from the DC? I can logoff events from the CA in the user event logs.
I will do some further investigation on this, had some feedback earlier with someone testing lock/unlocking of their workstation that they didn't get the logoff event, just a logon event when unlocking. It may be an isolated case.
Created on 09-18-2023 07:14 AM Edited on 09-18-2023 07:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> How does the FG get informed of a logoff event if it is not monitoring logoff events, must be some information from the DC?
User removal from FSSO is handled by workstation check and dead entry timer.
Workstation check is started ever X minutes (5 by default), using WMI to attempt to read the username of the currently logged in user.If the username matches, entry is kept. If the username is different, or none at all (nobody logged in), the FSSO entry is removed. Note that this works with user sessions in general, the state of it is not relevant (i.e. no difference between user logged in and working, and away with locked screen).
If workstation check doesn't work at all (disabled, or failing due to PC being off, offline, or maybe due to WMI permission issues), then dead entry timer starts and the user's FSSO session gets wiped once the timer reaches zero (8 hours be default; timer resets with every new successful workstation check or a new logon event by the same user on the same PC/IP).
Logoff events aren't utilized because they are notoriously useless for detecting a user's state. I often see a bunch of "logoff events" in the DC's logs despite the user continuously being logged in on their PC.
[ corrections always welcome ]
Related Posts
- Deep inspection with streaming media 39 Views
- NO internet connection when using static... 154 Views
- free vpn client certificate problems 163 Views
- SSL VPN on LTE Disconnecting Frequently 114 Views
- new switch license 130 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.