Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zeki893
New Contributor II

Created on ‎07-29-2016 06:08 PM

Log & Report > Forward Traffic Logs not displaying user 5.4.1

I'm using 5.4.1. I setup fsso and trying to view user activity in forward traffic logs but the user column is blank. I know it is seeing the user because the policy allows that user and the web-filter logs display the user. Is this just a cosmetic bug in 5.4.1 or am I missing something here?

11567
0 Kudos
1 Solution
EntitledSuperUser
New Contributor II
In response to washie

Created on ‎09-08-2016 11:55 AM

So I got it to work by starting from scratch. This is what I did (maybe in not this exact same order)

I am using two domain controllers for this, not sure if it matters but this is my scenario

 

[ul]
  • Created one LDAP connection (Domain-1).
  • Created two Single Sign-On Connection: one connection (Domain-1) is a Poll Active Directory Server one that uses the LDAP server created above, so the IP and the LDAP server are the same (Domain-1). The other connection (Domain-2) is Fortinet Single-Sign-on Agent one, this uses the IP of my other DC but it uses the LDAP server from before (Domain-1); in this connection I selected the groups I want to monitor.
  • Installed the agent on Domain-2 (you have to reboot the server). I configured the following in here:[ul]
  • Monitor user logon events and Support NTLM Authentication
  • Show Monitor DC – Select DC to monitor – Selected Polling Mode using WMI and checked all my DC.
  • Set Directory Access Information to Advanced. In the Advanced settings I just enter the LDAP info (Domain-2)
  • Set Group Filters – it pulls the info from the FortiGate so I didn’t touch anything.
  • In my case because I am monitoring Citrix XenDesktops VMs I went to the Advanced Settings under the Citrix/Terminal Server tab and specified all the Citrix servers I am monitoring. I also installed the TS Agents on these servers and specified the Fortinet SSO Collector Agent IP/Port to be Domain-2:8002[/ul]
  • In the Fortigate under User & Device – Single Sign-On I can see that the status for both Domain-1 and Domain-2 are green.[/ul] [ul]
  • Under User & Device – User Groups – I created an FSSO Group and added the Active Directory members that I specified when I created the Single-Sign-On connection (Domain-2).[/ul] [ul]
  • Under IPv4 Policy I created another policy (User to Internet) on top of an existing policy (Lan to Internet) that allows my internal network to access the internet. I originally tried to edit the Source of my existing policy and add the FSSO group in there, however this caused some devastating issues because the users were not being authenticated and thus were not able to access the internet. So, if you make a new policy and put it on top of the existing one in the event that users don’t authenticate it will move to the next policy and still give them internet access.[/ul]

     

    The new policy I created has as the source an Address Group I created for my Citrix Servers and the FSSO group. I enabled the option to Log All Sessions. Once I got all this to work I enabled IPS, DLP, AV, Web-Filter, CASI. Once all that was working I enabled SSL/SSH Inspection.

     

    Log & Report – User Events is your friend. Forward Traffic Log if you see the user and the icon is blue means that it was authenticated, if it is red it wasn’t.

    • View solution in original post

    3649
    3 REPLIES 3
    EntitledSuperUser
    New Contributor II

    Created on ‎09-02-2016 12:59 PM

    I am having the same issue. I have a Citrix environment and when I check the Source column I see the username with the server name in there, but when I check the user column it is empty.

    3596
    0 Kudos
    washie
    New Contributor

    Created on ‎09-08-2016 10:58 AM

    Hi good day,

    I'm actually here because of the same issue, I’ve also setup fsso (polling) and added my users and groups but no user is showing up in the user column when I check the forward logs. Plus, I'm running the explicit proxy feature so I tried creating a user authentication policy to user Kerberos but anytime I hit apply the settings doesn’t save…….

     

    Can someone please help with this issue? I would really love to log user activity with active directory users.

    3596
    0 Kudos
    EntitledSuperUser
    New Contributor II
    In response to washie

    Created on ‎09-08-2016 11:55 AM

    So I got it to work by starting from scratch. This is what I did (maybe in not this exact same order)

    I am using two domain controllers for this, not sure if it matters but this is my scenario

     

    [ul]
  • Created one LDAP connection (Domain-1).
  • Created two Single Sign-On Connection: one connection (Domain-1) is a Poll Active Directory Server one that uses the LDAP server created above, so the IP and the LDAP server are the same (Domain-1). The other connection (Domain-2) is Fortinet Single-Sign-on Agent one, this uses the IP of my other DC but it uses the LDAP server from before (Domain-1); in this connection I selected the groups I want to monitor.
  • Installed the agent on Domain-2 (you have to reboot the server). I configured the following in here:[ul]
  • Monitor user logon events and Support NTLM Authentication
  • Show Monitor DC – Select DC to monitor – Selected Polling Mode using WMI and checked all my DC.
  • Set Directory Access Information to Advanced. In the Advanced settings I just enter the LDAP info (Domain-2)
  • Set Group Filters – it pulls the info from the FortiGate so I didn’t touch anything.
  • In my case because I am monitoring Citrix XenDesktops VMs I went to the Advanced Settings under the Citrix/Terminal Server tab and specified all the Citrix servers I am monitoring. I also installed the TS Agents on these servers and specified the Fortinet SSO Collector Agent IP/Port to be Domain-2:8002[/ul]
  • In the Fortigate under User & Device – Single Sign-On I can see that the status for both Domain-1 and Domain-2 are green.[/ul] [ul]
  • Under User & Device – User Groups – I created an FSSO Group and added the Active Directory members that I specified when I created the Single-Sign-On connection (Domain-2).[/ul] [ul]
  • Under IPv4 Policy I created another policy (User to Internet) on top of an existing policy (Lan to Internet) that allows my internal network to access the internet. I originally tried to edit the Source of my existing policy and add the FSSO group in there, however this caused some devastating issues because the users were not being authenticated and thus were not able to access the internet. So, if you make a new policy and put it on top of the existing one in the event that users don’t authenticate it will move to the next policy and still give them internet access.[/ul]

     

    The new policy I created has as the source an Address Group I created for my Citrix Servers and the FSSO group. I enabled the option to Log All Sessions. Once I got all this to work I enabled IPS, DLP, AV, Web-Filter, CASI. Once all that was working I enabled SSL/SSH Inspection.

     

    Log & Report – User Events is your friend. Forward Traffic Log if you see the user and the icon is blue means that it was authenticated, if it is red it wasn’t.

    • 3650
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.