Hi all
I am new to Fortigate (this is also my 1st post to the forum) and attempted to setup FSSO. I followed the steps as described in this link (http://cookbook.fortinet.com/providing-single-sign-using-ldap-fsso-agent-advanced-mode-expert/), hiowever after completing all the steps - I can see the logins from my users in the FSSO agent installed on the DC, however I am seeing nothing on Fortigate. There is no user entry under "User & Device > Monitor > Firewall" - and from CLI I get the below:
# diagnose debug authd fsso listDid I miss something or do something wrong? Any advice welcome.
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
Solved! Go to Solution.
As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.
Make sure that your fsso 'config user adgrp' records are paired to right Collector "TCMVPN-FSSO" and not to local poller.
Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi
Thanks for the advice. Running the commands I get the the below output for the 1st set.
_event_read[TCMVPN-FSSO]: received heartbeat 100408
[authd_fsae_app.c:116]: num 1, idx 0, 127.0.0.1:8000
_event_error[Local FSSO Agent]: error occurred in read: Connection refused
disconnect_server_only[Local FSSO Agent]: disconnecting
I checked the DC ports (netstat -ant| more) and I can see it listening on the ports 389,3268 and 8000 -- but no 8002.
From the FSSO Agent on the DC I can see that the listening ports are configured as Fortigate - 8000 and DC agent - 8002. Windows Firewall is disabled completely with no 3rd party FW installed.
For the second set of commands I get the below output:
# diagnose debug authd fsso server-status
Server Name Connection Status Version
----------- ----------------- -------
Local FSSO Agent waiting for retry
TCMVPN-FSSO connected FSSO 5.0.0244
As you set up standalone Collector Agent on DC (if you followed cookbook receipt), then you do not need Local FSSO poller on FortiGate .. remove it from 'config user fsso-polling'.
Make sure that your fsso 'config user adgrp' records are paired to right Collector "TCMVPN-FSSO" and not to local poller.
Then check users in Collector / Show Logon Users and their group membership. It seems to me probable that they are not matching group filters set and therefore they are not reported to FortiGate. Check Group Filters on Collector and on FortiGate. If you run in advanced mode then filters should be in LDAP format like "CN=group,DC=example,DC=com". Also make sure that you have selected LDAP objects which are actually groups (they must have LDAP ObjectClass=group) and not users or anything else!
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi xSilver - thank you for the Feedback. I removed the local FSSO Agent and also changed the collector to Advanced Mode on the DC.
Everything is working now as expected - policies work and the Users are populated correctly. Thanks :)
Don't mean to hijack this thread, but xsilver can you explain something that you mentioned there? We're using our AD servers as SSO on our FortiGate, no local agent, polling only. And this does work great as it assigns a user to a device when they log on.
I noticed that SSO only assigns users to devices when they log in if I choose security groups in the SSO config. I can't use 'users' or 'OU' even though they are available as selections. If I choose an OU, in the logs it shows users signing in and out, but users won't be assigned to a device. Is there a reason only security groups can be used? Thanks!
Hi gsarica,
reason is simple, FSSO need to know to which AD groups user belongs to and it is gathered via LDAP and query for MemberOf compared to Members LDAP attributes. So your Collector (in local polling FortiGate act as Collector) can gather this group membership info aside to source IP, workstation name and user name to FortiGate, which then map user to Firewall (fsso type) user group based on AD group membership.
So if you question OU or CN (but user and not group), then you do not have MemberOf and Members attributes, and therefore there is nothing to use for proper FSSO function.
If you really want to use OU on behalf of group objects, then you would need standalone Collector Agent version 5.x installed on DC as those do support OU polling.
FortiGate local poller and collector are trully limited in their functionality to bare minimum.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I see, thank you. Totally makes sense.
Hello All
I'm having some issues with FSSO. On the FortiGate the FSSO status Online (green tick)
On the FSSO Agent, we can see over 1000 Authenticated users.
I am also able to telnet to the FSSO Server on port 8000.
I then deployed an LDAP FSSO as well, but I am still unable to see Authenticated Users.
Any additional trouble shooting commands will be greatly appreciated.
FGFW_300D_Master # exe telnet 192.168.0.141 8000 Trying 192.168.0.141... Connected to 192.168.0.141. Z▒ Ժ FSSO 5.0.0251i c▒8▒▒o74 CU~FSAE_SERVER_10001Connection closed by foreign host. FGFW_300D_Master # exe telnet 192.168.0.142 8000 Trying 192.168.0.142... Connected to 192.168.0.142. Z▒ Ի FSSO 5.0.0251#i5▒▒rC9▒)EFSAE_SERVER_10001Connection closed by foreign host. FGFW_300D_Master #
FGFW_300D_Master #
FGFW_300D_Master # diagnose debug authd fsso list ----FSSO logons---- Total number of logons listed: 0, filtered: 0 ----end of FSSO logons----
FGFW_300D_Master # FGFW_300D_Master # FGFW_300D_Master # diag debug enable FGFW_300D_Master # diagnose debug authd fsso server-status Server Name Connection Status Version ----------- ----------------- ------- 2018-06-12 10:33:36 Client-FSSO connected FSSO 5.0.0251 2018-06-12 10:33:36 Client-LDAP connected FSSO 5.0.0251 diagnose debug dis FGFW_300D_Master # FGFW_300D_Master # FGFW_300D_Master # diag debug enable FGFW_300D_Master # diagnose debug application authd 8256 2018-06-12 10:34:01 _event_read[Client-FSSO]: received heartbeat 119915 2018-06-12 10:34:02 _event_read[Client-LDAP]: received heartbeat 119916 2018-06-12 10:34:11 _event_read[Client-FSSO]: received heartbeat 119916 2018-06-12 10:34:13 _event_read[Client-LDAP]: received heartbeat 119917 2018-06-12 10:34:21 _event_read[Client-FSSO]: received heartbeat 119917 2018-06-12 10:34:23 _event_read[Client-LDAP]: received heartbeat 119918 2018-06-12 10:34:32 _event_read[Client-FSSO]: received heartbeat 119918 2018-06-12 10:34:33 _event_read[Client-LDAP]: received heartbeat 119919 2018-06-12 10:34:42 _event_read[Client-FSSO]: received heartbeat 119919 2018-06-12 10:34:43 _event_read[Client-LDAP]: received heartbeat 119920 2018-06-12 10:34:52 _event_read[Client-FSSO]: received heartbeat 119920 2018-06-12 10:34:53 _event_read[Client-LDAP]: received heartbeat 119921 2018-06-12 10:35:02 _event_read[Client-FSSO]: received heartbeat 119921 2018-06-12 10:35:03 _event_read[Client-LDAP]: received heartbeat 119922 2018-06-12 10:35:12 _event_read[Client-FSSO]: received heartbeat 119922 2018-06-12 10:35:13 _event_read[Client-LDAP]: received heartbeat 119923
Regards
Corné
Fortigate 600D v5.6.4 build1575 (GA) Windows Server 2008 R2 Windows 7 with FSSO Agent ver. 5.0.0267
Hello, I`m trying to configure FSSO using FSSO Agent (Collector Agent) in Polling Mode (polling logon sessions from DC) using WMI (FSSO Agent is installed on separate machine - not DC), agent is running on domain user account with domain admin privileges, so this account also has privilages to access Windows Security Event Logs).
On all devices in domain Audit logon events is enabled via GPO.
When FSSO Agent use Poll logon sessions using Windows NetAPI option - everything works.. but I have to change it to WMI because sometimes FG has some mismatch user/user to domain group or FG doesn`t see some users.
As I read in documentation, the prefered way to use Polling Mode is to checking Windows Security Event Logs using WMI.
All necessery ports to communication are not blocked by firewall (139,389, 445,3268,8000,8002..)
Some debug logs…
diag debug auth fsso server-status
Server Name Connection Status Version Address
----------- ----------------- ------- -------
SRV07B connected FSSO 5.0.0267 172.16.44.172
diagnose debug authd fsso list
----FSSO logons----
Total number of logons listed: 0, filtered: 0
----end of FSSO logons----
diagnose debug application authd 8256
d_event_read[SRV07B-DMZ]: received heartbeat 102285
_event_read[SRV07B]: received heartbeat 102286
_event_read[SRV07B-DMZ]: received heartbeat 102290
_event_read[SRV07B]: received heartbeat 102291
_event_read[SRV07B]: received heartbeat 102296
_event_read[SRV07B-DMZ]: received heartbeat 102295
_event_read[SRV07B]: received heartbeat 102301
_event_read[SRV07B-DMZ]: received heartbeat 102300
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102305
_event_read[SRV07B]: received heartbeat 102306
_event_read[SRV07B]: received heartbeat 102311
_event_read[SRV07B-DMZ]: received heartbeat 102310
_event_read[SRV07B-DMZ]: received heartbeat 102315
_event_read[SRV07B]: received heartbeat 102316
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102320
_event_read[SRV07B]: received heartbeat 102321
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B]: received heartbeat 102326
_event_read[SRV07B-DMZ]: received heartbeat 102325
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
_event_read[SRV07B-DMZ]: received heartbeat 102330
_event_read[SRV07B]: received heartbeat 102331
_event_read[SRV07B-DMZ]: received heartbeat 102335
_event_read[SRV07B]: received heartbeat 102336
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
[authd_fpc_on_msg:544]: code 0, type 133, len 20 seq 0
CollectorAgnet Log – (debug mode)
07/17/2018 10:23:55 [ 3832]
07/17/2018 10:23:55 [ 3832]
07/17/2018 10:23:55 [ 3832] [EPPoller]DoIpLsiMapCleanup(): before=0, after=0
07/17/2018 10:23:55 [ 3832]
07/17/2018 10:23:55 [ 3832] [LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815835)
07/17/2018 10:23:55 [ 3832] Bytes received from DC agent(3327): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:55 [ 3832] dcagent packet: add to queue, called:3327, current:0
07/17/2018 10:23:55 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:55 [ 3264] process_dcagent_events called by worker:121
07/17/2018 10:23:55 [ 3264] dcagent packet: removed from queue, called:3327 remain:0
07/17/2018 10:23:55 [ 3264] get dcagent event from processing queue by worker:121
07/17/2018 10:23:55 [ 3264]
07/17/2018 10:23:55 [ 3264] dcagent packet: processed:3327
07/17/2018 10:23:55 [ 3264] logon event(3327): len:47 dc_ip:172.16.40.12 time:1531815835 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:55 [ 3264] ignore keepalive packet
07/17/2018 10:23:55 [ 3264]
07/17/2018 10:23:55 [ 3264] process_dcagent_events returned by worker:121, processed:1
07/17/2018 10:23:55 [ 1904] check the entry to see if the user's group info changed
07/17/2018 10:23:55 [ 1904] check the cache to send logon events
07/17/2018 10:23:56 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1904] check the cache to send logon events
07/17/2018 10:23:57 [ 1356] [LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local)-->
07/17/2018 10:23:57 [ 1356]
07/17/2018 10:23:57 [ 1308] [LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local)-->
07/17/2018 10:23:57 [ 1308]
07/17/2018 10:23:57 [ 1356]
07/17/2018 10:23:57 [ 1356]
07/17/2018 10:23:57 [ 1356]
07/17/2018 10:23:57 [ 1356] [LSPoller]PackMsg(KEEPALIVE, srv05.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1356] Bytes received from DC agent(3328): 47 dcagent IP: 0b2810ac, MT=00010000
07/17/2018 10:23:57 [ 1356] dcagent packet: add to queue, called:3328, current:0
07/17/2018 10:23:57 [ 1356] [LSPoller]DoPolling(ip=0B2810AC, host=KFR/srv05.kfr.local): r=0
07/17/2018 10:23:57 [ 1308]
07/17/2018 10:23:57 [ 1308]
07/17/2018 10:23:57 [ 1308]
07/17/2018 10:23:57 [ 1308] [LSPoller]PackMsg(KEEPALIVE, SRV30.kfr.local, 1531815837)
07/17/2018 10:23:57 [ 1308] Bytes received from DC agent(3329): 47 dcagent IP: 282810ac, MT=00010000
07/17/2018 10:23:57 [ 1308] dcagent packet: add to queue, called:3329, current:1
07/17/2018 10:23:57 [ 1308] [LSPoller]DoPolling(ip=282810AC, host=KFR/SRV30.kfr.local): r=0
07/17/2018 10:23:57 [ 2600] process_dcagent_events called by worker:2
07/17/2018 10:23:57 [ 2600] dcagent packet: removed from queue, called:3328 remain:1
07/17/2018 10:23:57 [ 2600] get dcagent event from processing queue by worker:2
07/17/2018 10:23:57 [ 2600]
07/17/2018 10:23:57 [ 2600] dcagent packet: processed:3328
07/17/2018 10:23:57 [ 1288] process_dcagent_events called by worker:0
07/17/2018 10:23:57 [ 1288] dcagent packet: removed from queue, called:3329 remain:0
07/17/2018 10:23:57 [ 1288] get dcagent event from processing queue by worker:0
07/17/2018 10:23:57 [ 1288]
07/17/2018 10:23:57 [ 1288] dcagent packet: processed:3329
07/17/2018 10:23:57 [ 2600] logon event(3328): len:47 dc_ip:172.16.40.11 time:1531815837 len:34 data:srv05.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 2600] ignore keepalive packet
07/17/2018 10:23:57 [ 2600]
07/17/2018 10:23:57 [ 2600] process_dcagent_events returned by worker:2, processed:1
07/17/2018 10:23:57 [ 1288] logon event(3329): len:47 dc_ip:172.16.40.40 time:1531815837 len:34 data:SRV30.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:57 [ 1288] ignore keepalive packet
07/17/2018 10:23:57 [ 1288]
07/17/2018 10:23:57 [ 1288] process_dcagent_events returned by worker:0, processed:1
07/17/2018 10:23:58 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local)-->
07/17/2018 10:23:58 [ 3832]
07/17/2018 10:23:58 [ 3832]
07/17/2018 10:23:58 [ 3832]
07/17/2018 10:23:58 [ 3832]
07/17/2018 10:23:58 [ 3832] [LSPoller]PackMsg(KEEPALIVE, srv06.kfr.local, 1531815838)
07/17/2018 10:23:58 [ 3832] Bytes received from DC agent(3330): 47 dcagent IP: 0c2810ac, MT=00010000
07/17/2018 10:23:58 [ 3832] dcagent packet: add to queue, called:3330, current:0
07/17/2018 10:23:58 [ 3832] [LSPoller]DoPolling(ip=0C2810AC, host=KFR/srv06.kfr.local): r=0
07/17/2018 10:23:58 [ 5108] process_dcagent_events called by worker:14
07/17/2018 10:23:58 [ 5108] dcagent packet: removed from queue, called:3330 remain:0
07/17/2018 10:23:58 [ 5108] get dcagent event from processing queue by worker:14
07/17/2018 10:23:58 [ 5108]
07/17/2018 10:23:58 [ 5108] dcagent packet: processed:3330
07/17/2018 10:23:58 [ 5108] logon event(3330): len:47 dc_ip:172.16.40.12 time:1531815838 len:34 data:srv06.kfr.local/KEEPALIVE/Polling ip:255.255.255.255
07/17/2018 10:23:58 [ 5108] ignore keepalive packet
07/17/2018 10:23:58 [ 5108]
07/17/2018 10:23:58 [ 5108] process_dcagent_events returned by worker:14, processed:1
07/17/2018 10:23:58 [ 1904] check the cache to send logon events
Any ideas ?
Hi,
from collector debug log there seems to be no events polled.
Instead of NetAPI I'd try WinSec polling, this time without WMI.
So Collector will use standard SMB RPC call to read Security event log.
I'd also make sure that Collector process runs under Domain Admins member account to have enough privileges to read WinSec log and do necessary steps. This is default account type recommended.
If WinSec will work, then issue is with WMI, so check for any changes to default WMI access settings.
Some details can be found in KB.Fortinet.com http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.