How to display unauthenticated users in the "Forward Traffic" Logs?
Set the Active Directory Connector in "External Connector" and it is working perfectly. but none of the users are shown except one with pink color (un-authenticated user) how can I get the remaining users and why this user only is showing?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Then, what kind of logon eventID is generated by your Active directory?
Try to create logon event and run commands above again.
Also, where is your screenshoot with shown logged on user? In your debug outputs, there is no logged on users at all.
FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however currently the supported event subset is smaller.
• Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776
• Windows 2003 Event IDs: 672, 673
_____________________
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...
Hey Wael,
It seems like you forgot to enclose the screenshot.
Please attach the screen, then execute command in console (if it is really AD connector):
#diag de enable
#diag debug fsso-polling detai
#diag debug fsso-polling use
Share outputs as well.
below:
FG-FW-01 # diag de enable
FG-FW-01 # diag debug fsso-polling detai
AD Server Status(connected):
ID=1, name(10.1.1.4),ip=10.1.1.4,source(security),users(0)
port=auto username=ldapmaster
read log eof=1, latest logon timestamp: Fri Mar 3 00:38:52 2023
polling frequency: every 10 second(s) success(26219), fail(0)
LDAP query: success(0), fail(0)
LDAP max group query period(seconds): 0
LDAP status: connected
Group Filter:
CN=InternetUsers,CN=Users,DC=domain,DC=com
FG-FW-01 # diag debug fsso-polling use
FSSO: vd index(0), AD_Server(10.1.1.4), Users(0)
Then, what kind of logon eventID is generated by your Active directory?
Try to create logon event and run commands above again.
Also, where is your screenshoot with shown logged on user? In your debug outputs, there is no logged on users at all.
FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however currently the supported event subset is smaller.
• Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776
• Windows 2003 Event IDs: 672, 673
_____________________
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Windows-event-IDs-used-by-FSSO-in...
Created on 03-06-2023 01:32 AM Edited on 03-06-2023 01:46 AM
Yeah the evenIDs I can see on the client Machines.
I dont have any authenticated users! only one who is un-authenticated and I want to see other like I see this one. I dont want to create an authentication captive protal now. I dont know how the FG only resolves his name
you are correct the EventIDs was not on the server.
Hi wismail,
As you have mentioned that you are using "External connector", so are you using FSSO Agent on Domain controllers or do you have Collector Agent installed on a member server ?
Did you configure any Groups filtering ? Is there any other firewall in between FSSO Agent and FortiGate ?
Check these KB articles.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136
regards,
Sheikh
No I am not using FSSO agent. just the connection to the domain controller the Fortigate is acting as FSSO.
No firewall between the DC and the fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.