Re: Fortigate FSSO user switch between LAN and WAN
☄ Helpfulby fjulianom 2018/06/14 08:02:13
issue might be caused by DNS which is not updated with proper IP when you switch networks.
By default MSFT DNS allows updates from DHCP but not clients and once DHCP assign new IP the A DNS record is overwritten by that IP.
If that is psotted by FSSO in new logon scenario, that IP is recorded.
If you then switch networks, no IP change happen and you are prohibited from access.
1. best slution IMHO, is to let DNS read and update A records from workstations, and therefore whenever NIC get IP assigned it will ADD (and not overwrite) an A record to the DNS zone. Result will be multiple A records and FSSO can handle upto 4. So your workstation can have upto 4 NICs with different subnets/IPs still registered in FSSO with same user.
2. IF you want to keep just one record and your DNS is getting overwritten properly whenever you change network and you are NOT connected to more than one at a same time, then you can use "verifyIP"=dword:00000000 registry key in HKEY_LOCAL_MACHINE\software\fortinet\fsae\collectoragent to make Collector Agent periodically checking DNS for changes. It will make additional DNS load and delay detection of the change till next check, so it's not instant change, but it will help you to realize that IP has changed while user was still logged on workstation.
3. worst solution is to logout and login again after network change as it will trigger new logon processing and new DNS querry.