Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kristomur
New Contributor II

User records out of date in forward logs

Hello,


I am dealing with a issue when under "Forward logs" the user column shows out-of-date information about the current user. When looking at the forward log record there is a record showing "userA" but "userA" has not logged into the workstation. Also when looking at the security event then the user has not taken any action with the workstation.

 

On the Fortigate unit there is configured an LDAP connection in order to get AD groups but no external connector for FSSO.

 

Can someone please explain the behaviour behind this action and possible fixes to see up-to-date information about users, in the forward logs.

 

Cheers!

 

 

 

 

1 Solution
distillednetwork

Check out the section "Introduction to SSO with Windows AD" in this article:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/658099/single-sign-on-to-windows-ad

 

Basically, the fortigate looks at the ldap server logs for logon events and then tries to tie that logon event to the user/ip in the system. But with this method it's very easy for events to be missed.

 

Hope this helps with the understanding of the process

View solution in original post

6 REPLIES 6
distillednetwork
Contributor III

A couple of questions for you to help troubleshoot:

Is the fortigate the default gateway for these networks or do you have a router downstream from the Fortigate?  

 

What version of FortiOS do you have?

 

When you see the record showing the wrong user, if you go to Dashboard > Users & Devices > Firewall Users and select "show all FSSO Logons" do you see that user tied to the wrong device there or just in the forward logs?

Kristomur
New Contributor II

FortiOS 7.2.2

 

There is no FSSO logons because FSSO has not been configured properly.

Just wondering that when the User is assigned in the forward logs section to the record, how is the event tied or based upon what logic, when FSSO is not configured.

 

It seems that it is taking kerberos authentication records and FG unit ties it with the log records. But when FSSO agent has not been configured, the data is invalid and not up-to-date.

 

I am just investigating the logic behind this behaviour so I would know what to think about that. The fix is probably to implement FSSO agent to pull data from the endpoints. 

 

I would appreciate the know-how . _:)

 

distillednetwork
Contributor III

The FSSO collector is more reliable for sure than the ldap connector.  The fortigate has to do all the processing of logon events and tieing them to IPs whereas the FSSO collector server will handle that work for it.  

 

I have also seen issues where the users are tied to the IPs properly, but sometimes the display in the forward logs is incorrect because of a router between the fortigate and the clients.  All traffic will come from the same mac address (the router) and users will display in the logs on devices they were not connected to.  If I remember this was more of a GUI issue and logs sent to FAZ did not look this way, but it has been a while since I looked at that.

Kristomur

Well I also figured it out that can't rely purely on the LDAP connector although I would still like to know the details happening behind it.

 

Just for the general knowledge. :o

distillednetwork

Check out the section "Introduction to SSO with Windows AD" in this article:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/658099/single-sign-on-to-windows-ad

 

Basically, the fortigate looks at the ldap server logs for logon events and then tries to tie that logon event to the user/ip in the system. But with this method it's very easy for events to be missed.

 

Hope this helps with the understanding of the process

Kristomur

Thanks ;)

Top Kudoed Authors