Re: FSSO Collector Agent Problems

MikeMo · ‎10-14-2017

Tomas, First thank you for the response. The email notification from Fortinet must have gotten trapped in spam because it's October and I'm only now seeing this. I will attempt to make some of th...

Tomas, First thank you for the response. The email notification from Fortinet must have gotten trapped in spam because it's October and I'm only now seeing this. I will attempt to make some of the changes you recommended. We are in the process of migrating away from Microsoft DNS for a number of reasons and I hope that will help. Also, I will review the WMI suggestion and take appropriate action. For issue #2, we've used debug level logging with Fortinet support and they weren't able to find anything. However, I will attempt to track the dead entries as you suggested as that sounds promising. That said, it looks like you are one of the resident experts here. What are your thoughts on using DC Agent mode versus Polling for a larger enterprise? Fortinet generally recommends DC Agent for large environments but they were the ones that suggested polling to us a while back. Thanks again!

MikeMo · ‎08-18-2017

This is a tough one and I will be thoroughly impressed if someone were able to give me any advice that could help solve this issue. Fortinet support is having trouble solving so I'm reaching out to t...

This is a tough one and I will be thoroughly impressed if someone were able to give me any advice that could help solve this issue. Fortinet support is having trouble solving so I'm reaching out to the community for help. I'm going to provide a little background (sorry it's a little lengthy but I think it helps understand the issue) on our issues with FSSO and then get into our current issue. Hopefully someone has seen this problem and can offer some suggestions as to what the problem might be. Background: We've been using FSSO for around 8 years. We initially installed a single collector agent in DC Agent mode. We had 8-10 internet auth groups and things seemed to run fine. We then decided to add a second Collector for redundancy. Things still ran as expected. A few years later, we started authenticating our laptop users to our wireless network (802.1x/PEAP) via Group Policy configurations. This introduced our first set of issues with FSSO. We found out that when users had both a wired and wireless network connection at the same time, FSSO would randomly have issues. We discovered that the way in which Windows DNS servers/clients operated was playing a role in the auth failures. Turns out, when doing something like PEAP to auth wireless connections via the user account, DNS entries for the client would be handled in a way that confused FSSO. The FSSO collector would thing you were authenticated to an IP it wasn't expecting. For example, suppose you log into your laptop with both a wired and wireless connection enabled. When you first connect your system to your network cable/dock/whatever, the wired adapter will register itself with DNS on a DHCP segment. The FSSO collector agent would see your user account authenticated to this physical nic IP. Then, when you logged into the domain, your wireless adapter would authenticate your system (via your user account) to the network and overwrite your previous DNS entry with a name that resolves to your wireless IP. FSSO would now see your wireless IP as authenticated for your user account. Generally, the physical NIC was first in the binding order so when you would go to use the internet, your traffic would source from the physical NIC. Since FSSO uses DNS to lookup the names of systems during auth for the firewall, FSSO would not be able to identify your user account with your system's DNS record as it would only authenticate you properly if you were sourcing from the wireless IP. Turn off your wireless card and generate a login event and the problem goes away. Disconnect your physical NIC and it's resolved. This drug on for a long time without any known way to resolve this. Windows sucks at handling multiple network interfaces properly and there really wasn't any enterprise-ready solutions for disabling adapters if multiple were detected. Also, the way DNS operated on a client seems silly (I have no idea why if you have two different IPs, you can't have to different records in DNS - design flaw maybe). So, at Fortinet's recommendation, we switched to polling mode. Shortly after, with some minor tweaking to the events we were monitoring for, our problems went away. Suddenly, earlier this year, the problem resurfaced with a new twist. This time, when the internet auth issue occurs (sporadically but often for the same users) the FSSO collector agent isn't seeing an authenticated user at all. However, when we pull our domain controller logs, the user has log entries indicating a logon event. We found that restarting the FSSO service on both collector agent servers was the quickest way to resolve the issue and when the next logon event was generated it would force the user to properly show up in the collector user table. Initially, we found that all of the people who experienced were authenticated to a new domain controller we added earlier this year. So we were heavily looking at this system (firewall ports, etc.). We spent lots of time collecting logs only to have Fortinet tell us what we already knew in that the user wasn't in the FSSO auth table. Today I discovered something different that may help narrow this down. We had a person experience the problem and while collecting logs I found the same symptoms as usual - not in the user table in FSSO (unauthenticated) even though there are logon events. We asked that we hold off on restarting services so we could troubleshoot the issue. However, before I got too far down the troubleshooting path, the issue was suddenly resolved. The user had accessed a file share and generated a logon event during the process. I was able to capture the events and sure enough there was a new logon event that the collector agent had picked up. I thought about this for a bit and I'm starting to wonder whether or not the FSSO collector agent is having issues handling the amount of events it is processing via polling mode. I say that because there are periods of times (days even) where we don't have the issue at all. Then, other days, we have it multiple times a day. This incident today almost seemed like the agent was behind in processing/polling events and eventually "caught up". I'm thinking we should switch back to DC Agent mode but I'm concerned the wireless issues might resurface. Thoughts? Suggestions? I would appreciate any and all help. Thanks in advance! Current Environment: Collector Agents: 2 Domain Controllers: 15 Polling Mode: Check Windows Security Event Logs Changes that may have had an impact this year: A new domain controller, authentication of wireless switch from user based to machine based prior to login and user based post login - so computers are connected prior to logins, and we upgraded to 5.4.X (this seemed to start before we upgraded to 5.4 I believe)

MikeMo · ‎01-25-2013

@Dave - this is very similar to what we have for corporate and public. We use group policy to configure windows to handle the corporate settings since we use PEAP. This results in the network autom...

@Dave - this is very similar to what we have for corporate and public. We use group policy to configure windows to handle the corporate settings since we use PEAP. This results in the network automatically connecting if it is enabled (the system will follow the order in group policy). Do you have this same issue if both interfaces are enabled and connected at the same time? Do you use DHCP? If so, do you use dynamically controlled DNS settings in the DHCP scope?

MikeMo · ‎01-25-2013

Yeah I have looked at those too. There are even some solutions that suggest using a script that runs via scheduled tasks to monitor the network connections and shut off wireless when wired is in use...

Yeah I have looked at those too. There are even some solutions that suggest using a script that runs via scheduled tasks to monitor the network connections and shut off wireless when wired is in use. However, this seems like it might have it' s own set of issues. I do have a ticket in with Fortinet to see what they suggest and will post back if they provide a solution. Thanks for the reply it' s good to hear I' m not alone in this. If you are interested in the scripted option check this article out... http://community.spiceworks.com/how_to/show/14437-how-to-bring-harmony-to-your-mixed-wired-and-wireless-networks

MikeMo · ‎01-25-2013

Thank you both for the replies. @Dave - Not sure if that feature will specific resolve this issue. It seems to me that Fortinet is using DNS as a part of this process to authenticate users. So i...

Thank you both for the replies. @Dave - Not sure if that feature will specific resolve this issue. It seems to me that Fortinet is using DNS as a part of this process to authenticate users. So if the DNS entry is pointing to a wireless IP and the PC is configured to use the wired interface then the issue persists. @jmac - Yes you are on to something there. We investigated this as well. The problem is that we always set the binding order for the wired interface to be ahead of the wireless interface. This allows for a better connection if both interfaces are enabled at the same time. So we have the binding order set the way we want it. However, we also have group policy configured which sets up a wireless configuration using PEAP. This is to allow our mobile users to move from wired to wireless and AP to AP seamlessly on the network while maintaining security. When you set this in group policy the wireless connection will always attempt to connect to this immediately if the network is in range and the adapter is enabled. So in our experience setting the binding order also doesn' t seem to resolve this issue. A simple solution would be to " just switch the dang wireless off" . Apparently this is not something people can easily get used to as they use wireless at home and forget to disable it when returning to the office. So at this point I think I am down to either adjusting some setting in FSSO that I am unaware of (open ticket with Fortinet) or modifying the way we handle DNS either on the server or client to prevent this from occurring. In most situations multiple connections hasn' t even been an issue but for FSSO it creates a problem sporadically. Thanks again for the responses. Any other thoughts?

MikeMo · ‎01-24-2013

I had a ticket open for this same issue (normal sites being blocked as Ultra Surf 9.6+). This was a problem with IPS signatures. I believe it was resolved with updates as of 1/15 (4.00288). I have...

I had a ticket open for this same issue (normal sites being blocked as Ultra Surf 9.6+). This was a problem with IPS signatures. I believe it was resolved with updates as of 1/15 (4.00288). I have re-enabled the application controls and the problem no longer exists.

MikeMo · ‎01-24-2013

Not sure if anyone is interested...but I have isolated this problem to a DNS issue. The problem is caused by dynamically update settings in the DNS settings for the DHCP scope. While FSSO can handl...

Not sure if anyone is interested...but I have isolated this problem to a DNS issue. The problem is caused by dynamically update settings in the DNS settings for the DHCP scope. While FSSO can handle duplicate logins from multiple IPs, it still utilizes DNS when logging entries in its table. FSSO seems to log the IP, hostname, and username for each user it " authenticates" . The problem: Sometimes a wired connection' s DNS entry is dynamically removed and the wireless IP is registered with DNS as an A record. This is not normally a problem. However, if the binding order is set properly and the PC utilizes the wired connection as it' s outbound connection, this presents a problem for FSSO. The firewall sees the user connection coming from the wired segment but the entries in the FSSO table on the collector sees the user associated with the A record which is now pointing to the wireless address. The fortigate then determines that the user should get " guest" access as it cannot match the user to the appropriate IP. The solution: Not sure yet. There are multiple ways to attack this but I am still trying to figure this out. Suggestions welcome.

MikeMo · ‎01-07-2013

Does anyone have any thoughts on this?

MikeMo · ‎01-01-2013

I' m curious if anyone has run into this problem and if so, what have they done to fix it? (v4 MR3 P8) I have FSSO configured and it has been working properly now for several years. However, in t...

I' m curious if anyone has run into this problem and if so, what have they done to fix it? (v4 MR3 P8) I have FSSO configured and it has been working properly now for several years. However, in the last few years more and more wireless connections are being made available to our users. We have implemented group policy to configure our wireless adapters to authenticate users using 802.1x and PEAP to allow authenticated users access directly onto our corporate wireless network and keeping guest users separate. The problem we have is that with this setup, users frequently use both wireless and wired connections simultaneously as they generally forget to disable their wireless connections. This seems to present a problem with FSSO. It seems (this is a bit of an educated guess) that when a user authenticates they may source from either the wireless or the wired connection resulting in a event log entry that is monitored by the collector agent. However, sometimes when a user later goes to the internet, the traffic sources from the other adapter' s IP address. This seems to confuse the FSSO system and the user ends up with Guest access even though they are authenticated. I know this is a lot of info...but has anyone run into this? Thoughts/Suggestions?

MikeMo · ‎12-08-2010

Whitelist the email address/domain. Go to UTM --> Email Filter --> Email Address and then add that list to the UTM profile that is performing the scans. For Blacklisted IPs you have to go through e...

Whitelist the email address/domain. Go to UTM --> Email Filter --> Email Address and then add that list to the UTM profile that is performing the scans. For Blacklisted IPs you have to go through either Fortinet or go to mxtoolbox and find out which services have you blacklisted.

MikeMo · ‎06-22-2010

I believe it was actually the IPSMonitor process failing. However, we have since upgraded to 4.0MR2P1 and the problem still exists. I think the bug has carried over.

MikeMo · ‎06-03-2010

310B is the only model I have seen the problems on. The IPS engine was current when we started seeing the problem. The spikes would happen at random periods of time but according to support it look...

310B is the only model I have seen the problems on. The IPS engine was current when we started seeing the problem. The spikes would happen at random periods of time but according to support it looks like the IPSengine was crashing every 30 mins or so. CPU didn' t spike everytime but it was spiking like 2-3 times a day and staying there. The IPSengine process is the issue.

MikeMo · ‎06-02-2010

I am running version v4.0build0194 (MR1 Patch 3) and IPS Engine 1.00164. As of Wednesday last week we started seeing our CPU spike to over 95% and cause an interuption of services. After several da...

I am running version v4.0build0194 (MR1 Patch 3) and IPS Engine 1.00164. As of Wednesday last week we started seeing our CPU spike to over 95% and cause an interuption of services. After several days of providing logs and debug information to Fortinet the best possible answer we received was to restart the ipsengine services to resolve the issue and/or bypass the ipsengine entirely. They now defined it as a bug #125279. Just wanted to give everyone a heads up.

MikeMo's Posts

Re: FSSO Collector Agent Problems

FSSO Collector Agent Problems

RE: FSSO and multiple network connections

RE: FSSO and multiple network connections

RE: FSSO and multiple network connections

RE: Ultrasurf 9.6+ filter

RE: FSSO and multiple network connections

RE: FSSO and multiple network connections

FSSO and multiple network connections

RE: spam issue

RE: IPS Engine Running at 95%-99% Constantly

RE: IPS Engine Running at 95%-99% Constantly

IPS Engine Running at 95%-99% Constantly