Good day The client is experiencing issues when switching between LAN and wireless via FSSO. Seems as if firewall is not refreshing/updating this correctly.
When user switches off wifi moving to lan ip address the fsso entry on the firewall is not updated. Still keeps original ip address received on the wifi network even when the wifi device is switched off
Please assist Thank you
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
issue might be caused by DNS which is not updated with proper IP when you switch networks.
By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.
If that is psotted by FSSO in new logon scenario, that IP is recorded.
If you then switch networks, no IP change happen and you are prohibited from access.
SOLUTIONS:
1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.
2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.
3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi,
issue might be caused by DNS which is not updated with proper IP when you switch networks.
By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.
If that is psotted by FSSO in new logon scenario, that IP is recorded.
If you then switch networks, no IP change happen and you are prohibited from access.
SOLUTIONS:
1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.
2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.
3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
xsilver wrote:Hi,
issue might be caused by DNS which is not updated with proper IP when you switch networks.
By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.
If that is psotted by FSSO in new logon scenario, that IP is recorded.
If you then switch networks, no IP change happen and you are prohibited from access.
SOLUTIONS:
1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.
2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.
3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.
Best regards,
Tomas
Hello, you may indicate where I can find documentation on how this issue is handled on a timely basis (point 1), since I am seeing that the fsso overwrites the entries and is not creating a record with the other segment of the wireless. Thank you
Hi,
my remarks are a bit outdated about MSFT stuff. On 2003 when I first seen this it was best to start from this MSFT tech doc .. https://docs.microsoft.co...2003/cc784052(v=ws.10)
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello, recently we are facing same issue. When the user change network with different IP Range. Fortigate is still keeping the IP where user originaly log in. It does not seems it can handle up to 4 IPs. Do you have any trick what we can do about it?
Thank you,
Jiri Skryja
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.