Technical Note : Windows application forces to log-off the current user on FSAE and access through the FortiGate is blocked

• FortiGate units using FSAE.

Some applications may use a specific username to access to certain resources on the intranet or on the Internet.
Third-party anti-virus updates is an example.

The current user is then forced to log-off from FSAE and the Application User is used with different rights applied to the connection, causing sometimes problems to the normal user activity.

What happens is the User Logon Account in the FSAE user list is replaced by the Service Account. The User Logon Account belongs to a group you have configured for authentication on the FortiGate unit, while Service Account does not.

To verify, first find out the Service Account for that particular application.

1. On the PC, go to Start> Settings> Control Panel> Services.
2. Select the application and view its properties.

If the user logs on with a different User Account than the Service Account, chances are the User Log on Account in the FSAE user list is now replaced by the Service Account.

You can also follow additional troubleshooting steps outlined below to see that the User Logon Account in the FSAE user list is replaced by the Service Account.

1. Logon to a PC using Domain Logon User Account: fsae_user who is in the Windows AD User Group.
2. The Collector Agent sends this logon information to FortiGate unit and the user fsae_user can use the firewall policy to access the Internet.

   FTG60_1 # diag debug auth fsae list
   FTG60_1 # message_loop: checking timeouts
   ----FSAE logons----
   IP: 192.168.17.201 User: fsae_user Groups: IHOMIK/Domain Users+IHOMIK/FSAE_User_GLB_Security_GRP+IHOMIK/Domain
   Admins+IHOMIK/CERTSVC_DCOM_ACCESS+IHOMIK/Administrators+IHOMIK/Users
   Total number of users logged on: 1
   ----end of FSAE logons----

3. From the same PC, start an application. For example, an Wireless Configuration application uses Administrator as the Service Account.
4. The Collector Agent now sends "Administrator" to the FortiGate unit.

   FTG60_1 # diag debug auth fsae list
   FTG60_1 # message_loop: checking timeouts
   ----FSAE logons----
   IP: 192.168.17.201 User: Administrator Groups: IHOMIK/Group Policy Creator
   Owners+IHOMIK/Domain
   Users+IHOMIK/Schema Admins+IHOMIK/Enterprise Admins+IHOMIK/Domain
   Admins+IHOMIK/ExMerge+IHOMIK/CERTSVC_DCOM_ACCESS+IHOMIK/
   Administrators+IHOMIK/UsersTotal number of users logged on: 1
   ----end of FSAE logons----

5. fsae_user lost Internet connectivity because this account is now replaced by Administrator which is not in the Windows AD User Group.

There are a couple of solutions to circumvent this issue.

Solution 1

On the same PC, please ask the user (fsae_user) to re-logon to the Windows AD. After the logon, the User Logon Account should again be in the FSAE user list on the FortiGate unit, and he should be able to access the Internet again.

Solution 2