Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
austinmas1987
New Contributor

Created on ‎05-10-2024 04:45 AM

FSSO doesnt work with Fortigate eval VM

Hi Team,

I am not sure if this is a feature limitation or if my config is incorrect but in my test setup where I am using a Fortigate eval VM to test FSSO, it doesnt work.

 

I can see that the user logons are pushed to the Fortigate from the DC server but the debug logs show that there is no firewall policy match. Could someone please let me know if I am missing something here.

 

LDAP server IP - 10.1.1.100

windows user IP - 10.1.2.2

username - palouser02

 

Below are the outputs of some debug commands.

 

==================================================================

 

FGVMLAB-BRANCH-002 # diagnose debug authd fsso server-status

Server Name Connection Status Version Address
----------- ----------------- ------- -------

FGVMLAB-BRANCH-002 # 10.1.1.100-AD connected FSSO 5.0.0311 10.1.1.100

 

 

 

FGVMLAB-BRANCH-002 # diagnose firewall auth list

10.1.1.100, PALOADMIN
type: fsso, id: 0, duration: 804, idled: 195
server: 10.1.1.100-AD
packets: in 109 out 145, bytes: in 9788 out 20680
group_id: 33554454 33554482 33554472 33554469 33554450 33554481
group_name: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL

10.1.2.2, PALOUSER02
type: fsso, id: 0, duration: 194, idled: 124
server: 10.1.1.100-AD
packets: in 121 out 138, bytes: in 35644 out 32440
group_id: 33554454 33554433 33554481
group_name: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL

----- 2 listed, 0 filtered ------

 

 

 

FGVMLAB-BRANCH-002 # diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.1.100 User: PALOADMIN Groups: CN=PALOADMIN,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,DC=PALOLAB,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL+CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL Workstation: WIN-LR3E3D2455G MemberOf: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=ADMINISTRATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=DISTRIBUTED COM USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=EVENT LOG READERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=SERVER OPERATORS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
IP: 10.1.2.2 User: PALOUSER02 Groups: CN=PALOUSER02,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,DC=PALOLAB,DC=LOCAL+CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL+CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL Workstation: TESTPC02 MemberOf: CN=DOMAIN USERS,CN=USERS,DC=PALOLAB,DC=LOCAL CN=FINANCE,CN=USERS,DC=PALOLAB,DC=LOCAL CN=USERS,CN=BUILTIN,DC=PALOLAB,DC=LOCAL
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----

 

 

FGVMLAB-BRANCH-002 # show user fsso
config user fsso
edit "10.1.1.100-AD"
set server "10.1.1.100"
set password hTvrwnPSZZZokhz7mPbaySlQQ==
next
end

FGVMLAB-BRANCH-002 # show user group LDAPSERVER-DOMAINUSERS-GROUP
config user group
edit "LDAPSERVER-DOMAINUSERS-GROUP"
set member "ldapserver-10.1.1.100"
config match
edit 1
set server-name "ldapserver-10.1.1.100"
set group-name "CN=Domain Users,CN=Users,DC=palolab,DC=local"
next
end
next
end

 

FGVMLAB-BRANCH-002 # get sys arp
Address Age(min) Hardware Addr Interface
10.1.2.2 0 0c:35:93:7b:00:00 port2

 

FGTVM FSSO Policy.JPG

 


FGVMLAB-BRANCH-002 # 2024-05-10 04:43:34 id=65308 trace_id=1 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=1, 10.1.2.2:1->104.26.8.216:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=5262."
2024-05-10 04:43:34 id=65308 trace_id=1 func=init_ip_session_common line=6028 msg="allocate a new session-000009eb, tun_id=0.0.0.0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_check line=5303 msg="in-[port2], out-[]"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_dnat_check line=5315 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-192.168.122.1 via port1"
2024-05-10 04:43:34 id=65308 trace_id=1 func=iprope_fwd_check line=794 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-100004, check-00000000ef14c8d9"
2024-05-10 04:43:34 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
2024-05-10 04:43:34 id=65308 trace_id=1 func=get_new_addr line=1239 msg="find SNAT: IP-192.168.122.242(from IPPOOL), port-60418"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_user_identity_check line=1833 msg="ret-no-match"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_user_identity_check line=1833 msg="ret-matched"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-0 is matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2324 msg="gnum-100004 check result: ret-matched, act-drop, flag-08010800, flag2-00004000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-3, check-00000000ef14c8d9"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-no-match, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-3 policy-4294967295, ret-matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-4294967295 is matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=__iprope_check line=2324 msg="gnum-3 check result: ret-matched, act-drop, flag-00000020, flag2-00000000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_policy_group_check line=4730 msg="after check: ret-matched, act-drop, flag-00000020, flag2-00000000"
2024-05-10 04:43:35 id=65308 trace_id=1 func=iprope_fwd_auth_check line=879 msg="iprope_auth_portal_check() result: ret-matched, act-drop"
2024-05-10 04:43:35 id=65308 trace_id=1 func=fw_forward_handler line=835 msg="Denied by forward policy check (policy 0)"

 

 

 

Labels:
184
0 Kudos
2 REPLIES 2
hbac
Staff
Staff

Created on ‎05-10-2024 06:27 AM

Hi @austinmas1987,

 

Does it happen to other users/computers? Is port1 under SDWAN_UNDERLAY? Does it work if you remove the group from the policy? 

 

Regards, 

155
0 Kudos
austinmas1987
New Contributor
In response to hbac

Created on ‎05-10-2024 06:38 PM

Hi,

There is only user to test with. I will setup a new user and see how it goes.

Internet works when group is removed from the policy.

121
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.