Hello,
I am dealing with a issue when under "Forward logs" the user column shows out-of-date information about the current user. When looking at the forward log record there is a record showing "userA" but "userA" has not logged into the workstation. Also when looking at the security event then the user has not taken any action with the workstation.
On the Fortigate unit there is configured an LDAP connection in order to get AD groups but no external connector for FSSO.
Can someone please explain the behaviour behind this action and possible fixes to see up-to-date information about users, in the forward logs.
Cheers!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Check out the section "Introduction to SSO with Windows AD" in this article:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/658099/single-sign-on-to-windows-ad
Basically, the fortigate looks at the ldap server logs for logon events and then tries to tie that logon event to the user/ip in the system. But with this method it's very easy for events to be missed.
Hope this helps with the understanding of the process
A couple of questions for you to help troubleshoot:
Is the fortigate the default gateway for these networks or do you have a router downstream from the Fortigate?
What version of FortiOS do you have?
When you see the record showing the wrong user, if you go to Dashboard > Users & Devices > Firewall Users and select "show all FSSO Logons" do you see that user tied to the wrong device there or just in the forward logs?
FortiOS 7.2.2
There is no FSSO logons because FSSO has not been configured properly.
Just wondering that when the User is assigned in the forward logs section to the record, how is the event tied or based upon what logic, when FSSO is not configured.
It seems that it is taking kerberos authentication records and FG unit ties it with the log records. But when FSSO agent has not been configured, the data is invalid and not up-to-date.
I am just investigating the logic behind this behaviour so I would know what to think about that. The fix is probably to implement FSSO agent to pull data from the endpoints.
I would appreciate the know-how . _:)
The FSSO collector is more reliable for sure than the ldap connector. The fortigate has to do all the processing of logon events and tieing them to IPs whereas the FSSO collector server will handle that work for it.
I have also seen issues where the users are tied to the IPs properly, but sometimes the display in the forward logs is incorrect because of a router between the fortigate and the clients. All traffic will come from the same mac address (the router) and users will display in the logs on devices they were not connected to. If I remember this was more of a GUI issue and logs sent to FAZ did not look this way, but it has been a while since I looked at that.
Well I also figured it out that can't rely purely on the LDAP connector although I would still like to know the details happening behind it.
Just for the general knowledge. :o
Check out the section "Introduction to SSO with Windows AD" in this article:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/658099/single-sign-on-to-windows-ad
Basically, the fortigate looks at the ldap server logs for logon events and then tries to tie that logon event to the user/ip in the system. But with this method it's very easy for events to be missed.
Hope this helps with the understanding of the process
Thanks ;)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.