- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO user logon Problems
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO user logon Problems
Hello,
i have some strange problems on a 200A 4.0 MR Patch 15.
The FSSO is Runnig with a DC Agent on Domain Controller. DC Agen Version 4.3.0129
so the Problem is... The DC Agents collects the User Logons Properly u can see all the users on "Show logon users", The DC Agent is connected to the Fortigate and if i do diag debug authd fsso server-status it is "connected"
But the user logons are not passed to the Fortigate. if i do diag debug authd fsso list = there is no users, so my FSSO Firewall policy doesn´t work.
do anyone have an idea how to solve this?
NSE 8
NSE 1 - 7
Solved! Go to Solution.
NSE 8
NSE 1 - 7
Labels:
- Labels:
-
4.0MR3
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.
So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:
[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"
Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..
Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Regards,
Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, it look like this 172.16.1.25 is the DC Agent on the Domain Controller.
config user fsso
edit "FSSO_172.16.1.25"
set password ENC NJuMLHH7eY5Qr+B1LcngXhjai9jjV/JoRNWd6k3RPF6IHB/lgZI+GVcJOd+OVCXu3W9TzFKgcT/jSX+p9W+stNx1+vz3zKih6sRKUF3dZTobvfZF
set server "172.16.1.25"
next
end
i do have Group Filter on the Collector Agent with only Groups that i need have to be synchronised
This is the Output of config user adgrp
config user adgrp
edit "Example/ACCESS-INTERNET-ADVANCED"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-BASIC"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-FULL"
set server-name "FSSO_172.16.1.25"
next
edit "Example/ACCESS-INTERNET-NONE"
set server-name "FSSO_172.16.1.25"
next
diag deb auth fsso server-status
# diag deb authd fsso server-status
# 2015-08-20 17:01:29
Server Name Connection Status Version
----------- ----------------- -------
2015-08-20 17:01:29 FSSO_172.16.1.25 connected FSSO 4.3.0129
diag debug Flow
# diag deb authd fsso refresh-groups
# 2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."
2015-08-20 17:03:01 id=36871 trace_id=177 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"
2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."
2015-08-20 17:03:01 id=36871 trace_id=178 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"
2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.1.25:8000->172.16.254.10:9906) from internal."
2015-08-20 17:03:11 id=36871 trace_id=179 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, reply direction"
2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3799 msg="vd-root received a packet(proto=6, 172.16.254.10:9906->172.16.1.25:8000) from local."
2015-08-20 17:03:11 id=36871 trace_id=180 func=resolve_ip_tuple_fast line=3839 msg="Find an existing session, id-003b3b4e, original direction"
Sylvia wrote:Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Regards,
Sylvia
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sylvia wrote:Do you have a group filter on the Collector Agent? Or did you mark all user that the shouldn't be synchronized to the Fortigate? Both are settings from the Collector Agent...
And how does the config look like on the Fortigate?
Especially this part in the CLI:
show user fsso
Assuming you checked FSSO CA logs .... Sylvia is right, problems are most likely in group filters.
Here is small overview how it works:
Group filter is list if groups exchanged between Fortigate and FSSO CA which members of groups should be sent to Fortigate. Both Fortigate and FSSO CA can configure this filter. This filter could be in Windows notation, or LDAP groups notation.
From Fortigate you can however specify only LDAP group filter (by selecting LDAP server and groups in FSSO CA configuration).You can find this group list in "config user adgrp". It's not well known this list could be (at your own risk) edited since FortiOS 5.0.4. It might come handy in multidomain environments with single FSSO CA.
In FSSO CA the group filter is organized in registry, based on SN of the unit which connected to it.
It is preferred group filter sent (if configured to do so) from Fortigate. In that case FSSO CA saves this filter in registry under Fortigate's serial number. It's always overwritten (keep in mind this if you use multi-vdom scenario connecting to the same FSSO CA).
It might come handy to specify so called default filter, which is sent to all connecting Fortigates, but only if there is neither specific SN-based filter on CA, nor the filter is received from Fortigate.
Now we have explained how group filters work. But now it also depends how groups are evaluated in FSSO CA! We distinguish between Standard mode (windows group resolution) and Advanced mode (LDAP group resolution). Since users' groups have to match group filter, FSSO CA AD mode has to match too. If group filter is in Windows notation, you have to set Standard mode. If you set group filter with LDAP groups, you have to use Advanced mode.
Let me know if you have more questions.
Cheers,
Ales
smithproxy hacker - www.smithproxy.org
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
as you do not have LDAP bond to FSSO Agent on FGT ('config user fsso'), then you need to have manually specified groups in FGT _AND_ Collector Agent as well.
So what did you set in 'config user adgrp' on FGT has to be (at least those) set on Collector Agent. Use Set Group Filter in Collector GUI. Result should be also visible in registry and exported config , example as below:
[HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent\Filter\Default] "description"="Default filter" "groups"="Example\INTERNET-FULL"
Alternatively, you can set LDAP on FGT towards DC, add that to FSSO Agent, then you have to switch Collector to Advanced mode in Set Directory Access Information. All current group bonds need to be redefined as format will change from MS style DOMAIN\GROUP to LDAP format CN=group,DC=example,dc=com ..
Pro of all that is that from now on you will be able to set group filters right from FGT (no need to touch Collector). Will gain info about exact group position so two groups placed differently in the tree with same name are no problem anymore. And Advanced mode allows group nesting as a bonus. Peronally I do prefer this Advanced mode.
Kind regards, Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So Problem Solved but it was realy not easy :=)
We tried with an System Engineer from Fortinet Support 2h together and tried everything, i think this was just some kind of a bug of this old versions.
After deleting and reinstalling all again it works now, but no one knows what was the real Problem and if that will occur again soon.
I hope it will work for 2 Month from now, then we do a Migration to 200D and everything should be ok.
Thank you all for your Help!
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Related Posts
Labels
-
FortiGate
6,524 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.