Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Setup config for 2 Fortigates
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setup config for 2 Fortigates
I have 1 domain and 4 domain controllers. My Organisation is split over 2 sites but connected by a layer 2 link.
Active Directory has 2 sites. Default First Site and Second Site.
I have an Internet connection at each site.
I have a Fortigate at each site.
Workstations at each site register the logon events in the domain controllers at their site as expected.
At the moment my config is as follows
Site1
DC1 = Collector agent and DC agent installed. FortiGate firewall/FSSO Agent looking at DC1
DC2 = DC agent pointing at DC1 collector agent
Site2
DC3 = Collector agent and DC agent installed. FortiGate firewall/FSSO Agent looking at DC3
DC4 = DC agent pointing at DC3 collector agent
Essentially, I am trying to keep everything on the sites separate. The reg keys (CA) have the correct IP addresses.
However, within 'Show logon Users' on the FSSO agent, I see users from the other site (for both sides). 90% of users are for the correct site but 10% are from the other site. I am not sure how they are getting into there.
Show Monitored DCs has the 2 Domain controllers for each site (the don't have all 4 connected).
Is my setup wrong?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @insuirin
If these are separate locations and have different user database for each domain controller ,make sure that on DC Agents you have configured correct CA IP there, when you open DC Agent Configuration Utility on the right side you will see Collector Agent List ,make sure that IPs are correct there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a single Active Directory domain with two 'sites' within AD Sites and Services. Logon events are generated in their respective domain controllers.
For example. In Site 1 (Default First Site), anyone on those subnets will have their logon event generated in either DC1 or DC2.
I have checked the CA list within the registry and it only shows the IP addresses for their respective sites so this is configured correctly. For example, DC1 and DC2 only have the collector agent IP address of DC1. DC3 and DC4 only have the collector agent of DC3.
I am just curious as to why some of the users (from Show Logon Users) is showing from the other site. It's only circa 10% of users. (90% are from the correct site.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @insuirin,
On the FortiGates, please make sure it is pointing to their respective FSSO Agent on their site. Also on the FSSO Agent, please check Monitored DCs.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given that you've confirmed that logon events are correctly generated at their respective domain controllers based on AD Sites and Services, and that the collector agents' configurations appear correct, a few possibilities remain:
-
User Mobility: One straightforward possibility is user mobility or device mobility. If users from Site 2 occasionally visit Site 1 (or vice versa) and log onto machines, their logon events would appear in the "unexpected" site. The same goes for laptops or devices that might be moved between sites.
-
VPN or Remote Access: If you have VPNs or other remote access solutions in place, and users from one site connect to the other site's resources, their logon events might get recorded at the remote site's DCs. This could happen, for instance, if a user from Site 2 remotely accesses a server or resource at Site 1.
-
Application or Service Authentication: Sometimes, specific applications or services might authenticate against a DC that's not in their AD site. For example, an application server in Site 1 could be authenticating users against a DC in Site 2 for certain tasks, leading to those logon events appearing in the "wrong" site.
-
AD Replication or Trusts: Ensure that there isn't any misconfiguration with AD replication that might cause logon events to be replicated across DCs. Also, if there are any trusts (even within the same domain), they might cause unexpected authentication behaviors.
-
Stale or Cached Sessions: Stale sessions or cached logon information could cause users to appear in the FSSO "Show Logon Users" list even if they aren't actively logged on from that site.
-
FSSO Polling Behavior: FSSO agents actively poll the DCs for logon events. It's possible, though less likely, that there's a minor glitch or bug causing some events to be picked up incorrectly. Consider checking if your FSSO agents and FortiGate devices are running the latest recommended firmware or software versions. Sometimes, updating or even just restarting services can resolve unexpected behaviors.
It might be helpful to further diagnose by cross-referencing the specific users or devices that appear in the wrong site with actual network activities. Check their recent logon history, any applications or services they might have accessed, or any recent changes to their user profiles or group memberships. This deeper dive might provide more clues as to why they're appearing in the unexpected FSSO list.
Siddhanth Poojary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regarding your point 1. I do have users who move between sites. Let me dig further.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Configuration on FortiGate verses FortiManager 195 Views
- ZTNA access to VMware 226 Views
- FortiGate VPN IPSec Tx Error 455 Views
- Help with Forti vm home lab... 235 Views
- Issues with IPsec VPN and RTSP... 261 Views
Labels
-
FortiGate
8,504 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.