Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
menatwork
New Contributor III

Fortinet external AD Connector and retrieving of ad-user working / ad-userbased policy not

Hello,

I was able to set up external AD connector and retrieve users from AD-Server. But, as soon as I use a retrieved user in a policy (LAN-WAN) the user is not able to connect to the internet. 

 

The policy itself has as source the name of the ad-user & all. Destination: all, Services ALL.

 

Debuglog shows:

 

 

smbcd: rpc_cmd_eventlog_read:946 init=0, eof=1, timestamp=1715756519, Wed May 15 07:01:59 2024
status=0
smbcd: smbcd_process_request:987 got cmd id: 6
smbcd: smbcd_process_request:1000 got rpc log field.
smbcd: smbcd_process_request:1012 got rpc username: fortiadlookup
smbcd: smbcd_process_request:1018 got rpc password: XXXXXXXX
smbcd: smbcd_process_request:1022 got rpc port: 0
smbcd: smbcd_process_request:1028 got rpc logsrc: security
smbcd: smbcd_process_request:1121 got net_addr
smbcd: smbcd_process_request:1006 got rpc server: 192.168.10.234
smbcd: smbcd_process_request:1055 got VFID, 0
smbcd: smbcd_process_request:1194 got rpc eventlog read command
smbcd: rpccli_eventlog_open:202 /code/daemon/smbcd/smbcd_eventlog.c-202: evenglog handle get failed.nt_status:-1073741790. Retry to open pipe with auth.
smbcd: eventlog_read:621 loop=0, timestamp=1715756519, Wed May 15 07:01:59 2024

smbcd: rpc_cmd_eventlog_read:946 init=0, eof=1, timestamp=1715756519, Wed May 15 07:01:59 2024
status=0

 

 

 

All connection tests to the AD are working.

Am I missing something?

Thanks a lot!

 

EDIT: I think I will go and try the standalone Collector Agent as I read this one here:

Poll Active Directory issue after installed the Wi... - Page 2 - Fortinet Community

 

and diagnosed things by doing:

How to troubleshoot FSSO agentless pollin... - Fortinet Community

6 REPLIES 6
saleha
Staff
Staff

Hi,

 

Thank you for reaching out. In all polling modes the main thing to check first if the user is on the firewall auth list after they logon:

# di firewall auth lis

 

- In  case of installing fsso agent on one of the domain controller instead of directly having the firewall poll from ldap the recommendation is to check first if the logon is captured on fsso agent using the logs. I recommend in this case to enable the option for "log logon events in separate log file" and to setup the "log level" to "debug" to allow you to troubleshoot properly.

- If logon is captured on the fortigate in the auth list then check the firewall policy make sure no misconfiguration or possibly recreate the policy. Check forward traffic logs and finally run the trace flow commands below, clear the sessions for the source ip and analyze using the output of the flow commands:
- debug flow:

di de reset

di de flow filter saddr x.x.x.x -------- you can also use daddr for destination instead of source ip if you believe it is a better filter

di de flow filter port xxxx -------- example port 443 for https, 3389 for RDP etc

or

di de flow filter proto 1 --------- assuming test is done with icmp packets

di de flow show function enable

di de flow show iprope enable

di de flow trace start 999 ---------- you can reduce this the amount of events to capture or increase to the number you see fit

di de console time en

di de en

 

- clear sessions

di sys session filter src x.x.x.x ------------ you can use "?" mark with the command "di sys session filter" to see full list of available filters

di sys session clear

 

Thank you,

saleha

hbac
Staff
Staff

Hi @menatwork,

 

Can you see users in the auth list? "diagnose firewall auth list"

 

Regards, 

menatwork
New Contributor III

@saleha Hi, logons are captured. The problem was, that I have had to logoff and logon again (on my pc) ;) Then my user was also "captured" in the logonlogs.

 

after that I created a Usergroup with the OU of the AD my user is in and created a firewallrule (LAN/Source: all and the Usergroup of the SSO-AD-OU ->> WAN).

 

Now if I log on with my user I am able to surf the internet. If I use an user who is not in the above mentioned OU Internet stops working. So this is what it should be I assume.

 

@hbac : Thanks for the cli-command. Yes there are users inside of it.

 

Now I just have to figure out why the FGT is showing no Firewall-Users when I open Users&Devices. If I check forward traffic log, I can see my username is logged correctly.

 

Another thing is: Can we only use AD-OU-Groups with users in it, or is there a possibility to create the firewall-SSO-Groups with single-usernames coming from AD-sync also? I am unable to find single AD-users on the FGT-SSO, only OU-Groups.

Debbie_FTNT

Hey menatwork,

there should usually be a toggle to display FSSO users in 'Firewall Users' widget as well.

If the toggle is not available for some reason, it can be found slightly hidden as follows:
image.png

Click on the Options menu for the widget, then select Settings.

This should bring up this screen:
image.png

Simply enable 'Show all FSSO Logons', click OK, and you should start seeing FSSO users listed as well (if you have any).

 

Regarding FSSO groups limited to single users - this is MAYBE (technically) possible.

-> FortiGate filters FSSO logins with a particular config snipped, 'config user adgrp'

-> these are essentially just lists of the AD groups, and what FSSO connector they belong to (in your case it probably says Local FSSO Agent)

-> you can technically create those manually as well, and then they become available if you try to create a user group of type FSSO

-> you could create entries in 'config user adgrp' that match specific users (following the same syntax as existing objects!), then create user groups of type FSSO and utilize the adgrp entries you created manually

 

I have never tested this! I cannot guarantee it will work, and I would suggest limiting the testing to only a few users, to ensure you do not break FSSO for anyone else!

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
saleha
Staff
Staff

Hi menatwork,

 

Users and Devices page depends on device identification being enabled on the interface where this traffic is incoming. You should be able to create groups based on AD groups not sure it is possible for FSSO. I know if you setup ldap server you can create ldap users and add them in their own group but fsso does not have the same option.

 

Thank you,

saleha

menatwork
New Contributor III

@saleha thanks for your reply. I will continue playing with this for a while.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors