Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
claumakurumure
New Contributor III

Fortigate FSSO user switch between LAN and WAN

Good day The client is experiencing issues when switching between LAN and wireless via FSSO. Seems as if firewall is not refreshing/updating this correctly.

When user switches off wifi moving to lan ip address the fsso entry on the firewall is not updated. Still keeps original ip address received on the wifi network even when the wifi device is switched off

Please assist Thank you

hezvo uko
hezvo uko
1 Solution
xsilver_FTNT
Staff
Staff

Hi,

issue might be caused by DNS which is not updated with proper IP when you switch networks.

By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.

If that is psotted by FSSO in new logon scenario, that IP is recorded.

If you then switch networks, no IP change happen and you are prohibited from access.

 

SOLUTIONS:

1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.

 

2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.

 

3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

4 REPLIES 4
xsilver_FTNT
Staff
Staff

Hi,

issue might be caused by DNS which is not updated with proper IP when you switch networks.

By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.

If that is psotted by FSSO in new logon scenario, that IP is recorded.

If you then switch networks, no IP change happen and you are prohibited from access.

 

SOLUTIONS:

1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.

 

2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.

 

3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.

 

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

daac

xsilver wrote:

Hi,

issue might be caused by DNS which is not updated with proper IP when you switch networks.

By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.

If that is psotted by FSSO in new logon scenario, that IP is recorded.

If you then switch networks, no IP change happen and you are prohibited from access.

 

SOLUTIONS:

1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.

 

2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.

 

3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.

 

Best regards,

Tomas

Hello, you may indicate where I can find documentation on how this issue is handled on a timely basis (point 1), since I am seeing that the fsso overwrites the entries and is not creating a record with the other segment of the wireless. Thank you

 

xsilver_FTNT

Hi,

my remarks are a bit outdated about MSFT stuff. On 2003 when I first seen this it was best to start from this MSFT tech doc ..  https://docs.microsoft.co...2003/cc784052(v=ws.10)

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

jskryja

Hello, recently we are facing same issue. When the user change network with different IP Range. Fortigate is still keeping the IP where user originaly log in. It does not seems it can handle up to 4 IPs. Do you have any trick what we can do about it?

 

Thank you,

 

Jiri Skryja

Labels
Top Kudoed Authors