Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
thomasd1
New Contributor

Created on ‎09-09-2025 05:22 PM

Gaps in user column in logs - users not matching policies

For about 4 weeks now i have started to see some gaps in the Logs for forward traffic.

some logs with the gaps are matched to IP's of user machines, but they are getting deny all as it cannot validate a policy against a user.

FSSO is setup and looks to be working correctly, the only thing that has changed was a change of certificate that we were using for SSL Inspection as we reconfigured our NPS server.

I am at a bit of a loss at what else to look at.

Screenshot 2025-09-10 101904.png

Labels:
122
0 Kudos
1 Solution
rp1996
Staff
Staff

Created on ‎09-12-2025 04:43 AM Edited on ‎09-12-2025 04:45 AM

Hi Thomas, 

 

Could  you please clarify that if you can co-relate the gaps that you are referring to deny traffic in the forward logs, you can verify this by filter the log with the source IP. 

 

Once you have confirmed that the traffic is being denied, you would then need to check if there is a FSSO user entry for that particular IP, by running the following command on the CLI. 

 

 

diagnose debug authd fsso list  | grep 192.x.x.x   

 

The IP can also be replaced with the username. 

 

With the above you can check if the user entry was forwarded to the FortiGate or not, if there isnt any entry when there was supposed to be, you then need to check the FSSO collector agent and check for user information. 

 

If you find the user information but not on the FortiGate then we must check to see if there is any communication issue between the FortiGate and the collector agent. 

 

If no entry in the collector agent, then this could be a polling issue where in the logon event is missed by the collector agent or the DC agent depending on what your setup is.

View solution in original post

65
2 REPLIES 2
Stephen_G
Moderator
Moderator

Created on ‎09-12-2025 04:16 AM

Hello thomasd1,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen - Fortinet Community Team
72
rp1996
Staff
Staff

Created on ‎09-12-2025 04:43 AM Edited on ‎09-12-2025 04:45 AM

Hi Thomas, 

 

Could  you please clarify that if you can co-relate the gaps that you are referring to deny traffic in the forward logs, you can verify this by filter the log with the source IP. 

 

Once you have confirmed that the traffic is being denied, you would then need to check if there is a FSSO user entry for that particular IP, by running the following command on the CLI. 

 

 

diagnose debug authd fsso list  | grep 192.x.x.x   

 

The IP can also be replaced with the username. 

 

With the above you can check if the user entry was forwarded to the FortiGate or not, if there isnt any entry when there was supposed to be, you then need to check the FSSO collector agent and check for user information. 

 

If you find the user information but not on the FortiGate then we must check to see if there is any communication issue between the FortiGate and the collector agent. 

 

If no entry in the collector agent, then this could be a polling issue where in the logon event is missed by the collector agent or the DC agent depending on what your setup is.

66
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.