FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 193054

Description
Best practice and common log messages when using FSAE 3.0.
Solution
Connectivity issues

Ports tcp/139 and /or tcp/445 are not available on target station

Line 25 : 02/17/2009 08:17:22 [ 1444] failed to connect to workstation:PIKA1026 (10.98.3.124)
Line 34 : 02/17/2009 08:17:23 [ 1444] failed to connect to workstation:PIKA1020 (10.98.2.223)
Line 39 : 02/17/2009 08:17:24 [ 1444] failed to connect to workstation:PIKA1022 (10.98.3.247)
Line 60 : 02/17/2009 08:17:25 [ 1444] failed to connect to workstation:PIKA1033 (10.98.3.171)
Line 83 : 02/17/2009 08:17:26 [ 1444] failed to connect to workstation:PIKA1028 (10.98.2.168)
Line 178 : 02/17/2009 08:17:28 [ 1444] failed to connect to workstation:PIKA1031 (10.98.3.169)


Line 571603 : 02/17/2009 16:12:13 [ 1444] failed to connect to workstation:PIPSSYSTEMBCK (10.98.3.21)
Line 571605 : 02/17/2009 16:12:14 [ 1444] failed to connect to workstation:PS_LAPTOP36 (10.98.5.111)


Ports are blocked by local or network firewall. These messages are ok if generated by non-Windows client.

Registry access errors
Line 203 : 02/17/2009 08:17:28 [ 1444] failed to connect registry on:SALES7 (10.98.4.203) error code:53:1
Line 208 : 02/17/2009 08:17:28 [ 1444] failed to connect registry on:SALES7 (10.98.4.203) error code:53:2
Line 2610 : 02/17/2009 08:19:41 [ 1444] failed to connect registry on:DWALLACE2 (10.98.4.137) error code:53:1
Line 2612 : 02/17/2009 08:19:41 [ 1444] failed to connect registry on:DWALLACE2 (10.98.4.137) error code:53:2
Line 1831 : 02/17/2009 08:18:38 [ 1444] failed to connect registry on:NETSUP05 (10.98.5.217) error code:53:1
Line 1832 : 02/17/2009 08:18:38 [ 1444] failed to connect registry on:NETSUP05 (10.98.5.217) error code:53:2
Line 491201 : 02/17/2009 15:07:02 [ 1444] failed to connect registry on:NETSUP10 (10.98.4.145) error code:53:1
Line 491203 : 02/17/2009 15:07:02 [ 1444] failed to connect registry on:NETSUP10 (10.98.4.145) error code:53:2
Line 494727 : 02/17/2009 15:09:52 [ 1444] failed to connect registry on:NETSUP05 (10.98.5.217) error code:53:1
Line 494728 : 02/17/2009 15:09:52 [ 1444] failed to connect registry on:NETSUP05 (10.98.5.217) error code:53:2
Line 495889 : 02/17/2009 15:10:55 [ 1444] failed to connect registry on:QA-ICE-2-VM1 (10.98.7.101) error code:53:1
Line 495890 : 02/17/2009 15:10:55 [ 1444] failed to connect registry on:QA-ICE-2-VM1 (10.98.7.101) error code:53:2


Could be because of closed ports or because Remote Registry service is not running on target station

DNS failures

Line 301 : 02/17/2009 08:17:30 [ 1440] DnsQuery() failed for SALES36, error code:9003
Line 435722 : 02/17/2009 14:23:09 [ 1440] DnsQuery() failed for ARCHVCLUSTER1, error code:9003

Host is not properly registered in DNS or registration is not updated as a result of address change.


For proper FSAE operation ensure:

1. Ports tcp/139 and tcp/445 should be open between collector agents and all workstations. If personal firewall is running on a work station, ensure to allow this type of traffic or Collector agents IPs defined as trusted. If there is any packet filtering devices/firewalls between different network segments ensure this type of traffic is allowed to flow.

2. Remote registry service should be up and running on each workstation. Collector agents periodically verify what user is logged into the station by accessing station registry.

3. Ensure that hosts have proper DNS registration and it is updated whenever IP changes. Failure to immediately update IP upon change prevents Collector agent from updating FSAE list with new IP and result in user block.



 

Contributors