Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
roootccc
New Contributor

Created on ‎11-08-2018 07:01 PM

FSSO issue

We often encounter user not being captured by FSSO thus traffic was deny.

We would like to confirm if user was being dead entry at that time but i cant seem to find anywhere that i can monitor dead entry host/user. Is here anyway i can confirm if a user/host is being lock as dead entry ? 

3893
0 Kudos
5 REPLIES 5
neonbit
Valued Contributor

Created on ‎11-09-2018 02:09 AM

How are you doing FSSO? Are you polling the DC from the FortiGates or are you using a collector agent? If you're using the collector agent you'll be able to see which users are logged in and which have dead entries.

1959
0 Kudos
Fishbone_FTNT
Staff
Staff
In response to neonbit

Created on ‎11-09-2018 02:46 AM

Hi, dead entry is simply gone - it's dead :)

 

 

Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

 

If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

 

Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

 

hth,

-Fishbone

smithproxy hacker - www.smithproxy.org

1959
0 Kudos
roootccc
New Contributor
In response to Fishbone_FTNT

Created on ‎11-11-2018 06:06 PM

Fishbone wrote:

Hi, dead entry is simply gone - it's dead :)

 

 

Workstation can be either in "OK", or in "Not Verified" state. "OK" means CA can reach workstation using at least one of its IP addresses and check positively the user's presence there (using WMI or RRA).

 

If CA actually can't reach workstation, it will set its state to "Not Verified". Typically because of some firewall restrictions (Sharing and WMI-in must be allowed in). Such a workstation is automatically removed after "Dead entry timeout interval" seconds. Then it's gone and user on the workstation must trigger logon event again (usually he will logs out and in again).

 

Note that any logon event associated with "Not Verified" workstation will refresh it, making the state back to "OK". But just for a while, because next workstation check will fail again.

 

hth,

-Fishbone

We are using this mode. Is this CA ? 

1959
0 Kudos
roootccc
New Contributor
In response to neonbit

Created on ‎11-11-2018 06:04 PM

neonbit wrote:

How are you doing FSSO? Are you polling the DC from the FortiGates or are you using a collector agent? If you're using the collector agent you'll be able to see which users are logged in and which have dead entries.

We are using DC Agent Mode. Where can we see if the user have been put into dead entries or history ? 

1959
0 Kudos
seshuganesh
Staff
Staff

Created on ‎05-11-2022 03:13 AM

Hi Team

 

This has posted long time but it could help some one who is facing issue now.

This type of issue mostly related to the DNS server which is configured in AD server, lets say if the DNS records in the AD server are not updated properly with the correct IP if they point to wrong IP, wrong ip will mapped with user name in the log on user list of FSSO.

Its better to focus on DNS records in AD server for these type of issues.

You can check and keep us posted

965
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.