Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Farroo
New Contributor

FSSO polling mode - can’t see user logins

Hi, We have a situation where we have setup ldap correctly and able to browse user directory, all groups etc showing as expected. Problem we have seen is any users logged in- not seeing by the firewall. There are no antivirus/firewall port blocks on the AD server, and an adminaccount used for polling. Firewall debug showing sent login info packet 1 and no login info received packets This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version. Wondering if anyone else come across this before and share some pointers? We think its an issue on AD server but not wnough substance to prove it back to the end user. Thanks.
16 REPLIES 16
xsilver_FTNT
Staff
Staff

Hi Farroo,

unfortunately it's not clear, at least to me, what sort of authentication you are trying to do/have.

Is it LDAP based auth, or FSSO ?  If FSSO then are you polling DC(s) directly from FortiGate or do you use Colelctor Agent installed on one of DCs (preferred option) ?

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Farroo

Sorry xsilver, I thought I mentioned fsso.. polling mode on fortigate and no agent on dc- we have a number of other cust exactly the same setup, just having issues with this one and unable to prove its an issue with ad. We have setup the ldap server, on fortigate, then fsso using that server, able to browse advserver can see groups users etc, but not seeing any user logins. Acc on ad is admin and it can read user login events. Don’t know where else to look...
Alivo__FTNT

Hello Farroo,

first about the 5.2.10

("This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version.")

 

FortiGate is a security device and its purpose is to protect. Old firmware versions, that are note supported anymore,  can be (are) vulnerable to various vulnerabilities. Insecure security device loses it's purpose. Firmware needs to be up to date.

 

To the FSSO issue > which AD version customer has?

Do you monitor user groups who's users logons are expected to be seen?

Which Windows Security Logon Events are generated by users logons?

 

Alivo

 

 

livo

catalinv

Hi everyone, 

I have the same problem - not seeing logged on users in Fortigate.

I'm in testing mode for now: one DC, and using my domain user for testing traffic. 

I have a 200E and firmware v5.6.5 build1600.

I configured LDAP server and SSO, I can see the AD tree and select my user - that has been added to the user group I use on the policy.

The domain user I'm using to configure LDAP and SSO, is not a domain admin - should it be?

I see no message in CLI with debug commands.

 

FW # diagnose debug authd fsso server-status

 

FW # 

Server Name      Connection Status     Version               Address

-----------      -----------------     -------               -------

Local FSSO Agent            connected         FSAE server 1.1       127.0.0.1

 

FW # diagnose debug authd fsso list

----FSSO logons----

Total number of logons listed: 0, filtered: 0

----end of FSSO logons----

 

The traffic is not matching my policy, there is no hit.

As far as I understand there is no need to install FSSO Collector on a domain server for polling mode configuration.

 

thank you,

have a nice day,

Catalin

xsilver_FTNT

Hi Catalin,

FortiGate can poll DCs for logon events directly, however standalone Collector Agent offers much more.

 

To debug local polling from FortiGate ..

 

2. do you see any users or you see 0 user ? FGT-VM64-1 (root) # diag debug fsso-polling user FSSO: vd index(0), AD_Server(192.168.32.21), Users(0)

3. if zero users, what is the poller status ? do you have AD connected ? do you have successful pollings ? does your user in AD fit in group filter ?

FGT-VM64-1 (root) # diagnose debug fsso-polling detail AD Server Status: ID=1, name(192.168.32.21),ip=192.168.32.21,source(security),users(0) port=auto username=Administrator read log offset=1370140, latest logon timestamp: Wed Jun 4 15:43:25 2014

polling frequency: every 10 second(s) success(5043), fail(0) LDAP query: success(0), fail(0) LDAP max group query period(seconds): 0 Total max polling period(seconds): 1 most recent connection status: connected

Group Filter: CN=group1,CN=Users,DC=XSILAB,DC=int+CN=group2,CN=Users,DC=XSILAB,DC=int

4. check security log on DC/AD try to log off and log in with test (known) user account from test workstation (known NetBIOS name and IP .. from ipconfig /all). do you see user logon events ? what eventID do you see, are those eventID in the list below so FSSO poller can read those ? We mostly use Kerberos logon events as they contain all the info we need, we do not monitor all logon eventIDs as not all of them contain required info about user and workstation. For Win2K8 we use EventID: 4768, 4769, 4776 and for Win2K3 EventID: 672, 673, 680.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

nbctcp
New Contributor III

I encounter same issue as yours if using "Fabric Connectors/Poll Active Directory Server" on 6.2.3

Once I change to "Fabric Connectors/Fortinet Single Sign-on Agent"

I don't have any problem at all, but you must upgrade your OS to 6.2.3

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
xsilver_FTNT

Local polling from FortiGate is quite different then standalone Collector Agent.

Differences has been discussed here in forum many times.

KB with short differences is here https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38897

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Alivo__FTNT

@nbctcp You can try to read outputs of:

 

di de application fssod -1 di de application smbcd -1 when you login to domain with your user.

Best Regards,

Alivo

 

livo

nbctcp
New Contributor III

SW INFO:

-FORTIOS 6.2.3 kvm eval key

-WIN2008 as AD Server

 

STATUS: -Security Fabric/Fabric Connectors/Active Directory Connector shown red arrow down

 

# di de application fssod -1 # di de application smbcd -1 Debug messages will be on for 30 minutes.

FGT1 # smbcd: daemon debug level set to [16777215] smbcd: SMB library debug level set to [8] smbcd: smbcd_process_request:968 got cmd id: 6 smbcd: smbcd_process_request:981 got rpc log field. smbcd: smbcd_process_request:993 got rpc username: administrator smbcd: smbcd_process_request:999 got rpc password: XXXXXXXX smbcd: smbcd_process_request:1003 got rpc port: 0 smbcd: smbcd_process_request:1009 got rpc logsrc: security smbcd: smbcd_process_request:987 got rpc server: 10.0.3.2 smbcd: smbcd_process_request:1036 got VFID, 0 smbcd: smbcd_process_request:1140 got rpc eventlog read command smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED) smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source [handle_reply:491] wrong format of data status. len 8 <> 4.

 

config user ldap edit "DC1" set server "10.0.3.2" set cnid "cn" set dn "dc=ngtrain,dc=com" set type regular set username "cn=administrator,cn=users,dc=ngtrain,dc=com" set password Password next end

config user fsso edit "Local FSSO Agent" set server "127.0.0.1" next edit "DC1" set server "10.0.3.2" set password Password next end

config user fsso-polling edit 1 set server "10.0.3.2" set user "administrator" set password Password set ldap-server "DC1" config adgrp edit "CN=HR,CN=Users,DC=ngtrain,DC=com" next edit "CN=IT,CN=Users,DC=ngtrain,DC=com" next edit "CN=SALES,CN=Users,DC=ngtrain,DC=com" next end next end

 

Pavel_Livonec_FTNT wrote:

@nbctcp You can try to read outputs of:

 

di de application fssod -1 di de application smbcd -1 when you login to domain with your user.

Best Regards,

Alivo

 

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors