We're using Fortigate 300D (FortiOS 5.4) and have a AD FSSO Collector Agent (with WMI). Authentication is working fine except for few users. For those users for a reason I ignore, authentication is lost randomly, and then they lose their internet access. In that time they are not listed in the "Show all FSSO Logons". They are not listed in the "Show Logon Users" on the FSSO Server.
I know that they are autheticated on our Windows Domain.
To be authenticated they have to logoff and logon on their PC but after a random amount of time they get de-authenticaed.
basically turn Collector log to debug level and some 50MB size and check what happened when such user looses his access and is gone from FSSO user list on Collector.
1. It might appear that WMI received logoff and so Collector removed user from list.
2. It might appear that user used 'Run as' and logged somewhere under different account, or some (possibly background) service has started on his workstation under different account. Such events usually create logon event on DC, with workstation's source IP. Causing the current user being overwritten in FSSO user list as workstation is believed to be owned/used by single user at a time.
The setting "set auth-timeout" controls authentication timeout for Firewall authentication users. By default this value is set to 5 minutes.
# config user setting # set auth-timeout <timeout_integer> The auth-timeout range is 1 to 1440 minutes(24 hours). # end
The "auth-timeout type" setting controls how the authentication entry is removed.
# config user setting # set auth-timeout-type ? idle-timeout Idle timeout. hard-timeout Hard timeout. new-session New session timeout.
By default, authentication timeout type is set to "idle-timeout".
Idle timeout: User entry will be removed if there is no traffic received for configured idle time (5 minutes by default).
* User1 authenticated by identity based policy and granted to access resources. * Now the User1 idle timer can be triggered if there is no traffic received from the user, this can happen in one of the following scenarios;
- User locked the computer - User logged out of the computer. - User PC disconnected from network. - User PC shutdown or put to standby mode.
* If there is no traffic received from the user IP address for the configured auth-timeout (5 minutes by default), user authentication entry will be removed.
* If the user tries to access resources now, FortiGate will prompt the user to authenticate again.
Hard timeout: User entry will be removed after the configured auth- timeout value
* User1 authenticated by identity based policy and granted to access resources. * FortiGate will forcefully remove the user authentication entry after configured auth-timeout setting (5 minutes by default). This is done irrespective of traffic received or not from the user. * Once the authentication entry is removed, user will be prompted to authenticate for further requests.
New-session timeout: User will be prompted to authenticate for new sessions after the configured auth-timeout timer.
Example * User1 authenticated by identity based policy and generate a request to www.fortinet.com. * User will start a download from www.fortinet.com and does not generate further requests. * After 5 minutes (default auth-timeout), user tries to access www.google.com, now FortiGate will ask the user to authenticate again but the existing download to www.fortinet.com will not be terminated.
config user setting set auth-timeout-type idle-timeout Idle timeout. hard-timeout Hard timeout. new-session New session timeout.
@raffau .. it was said that those are FSSO users, so auth session might timeout and iprope record might get removed but if everything is OK in FSSO then user should persist in 'diag debug auth fsso list' -or- 'diag firewall auth list | grep -f fsso' till the user:
- log off the workstation
- fail in workstation check and timeout on dead entry interval
- another user log into the same workstation and so fsso record get overwritten
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.