- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FSSO Loses User Logins Periodically
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FSSO Loses User Logins Periodically
I'm running FortiGate's and FAC and I use DC Agents on my domain controllers pointing back to FAC. I have some policies in my FG's that reference FSSO groups. Multiple times per week I find that FAC, and therefore FortiGate, lose track of currently logged in users. This is a problem of course for any fw policies I've written that reference that user account - they stop getting the specified access.
One thing I've noticed in FAC (ver v4.00-build0081-20160601-patch00) is that under Monitor/SSO/FortiGates I notice that the connection time next to my firewall is a couple of days old. Should that Date/Time be pretty recent, or does that even matter?
Another thing is we use a particular endpoint protection suite that causes a service account to appear to log into that machine, overwriting the currently logged in user. I've made use of Fine-grained controls to excluded non-user accounts from SSO but those accounts still appear in the firewall (User & Device/Monitor/Firewall). Not sure if that is related or not.
I'd be interested to know anyone's experiences troubleshooting inconsistencies with DC Agent/FAC/FSSO/FortiGate policies user login status.
Thanks in advance!
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q: "connection time next to my firewall is a couple of days old. Should that Date/Time be pretty recent, or does that even matter?"
A: no, it should not. It not the last seen/connected, it's "connected since" timer, so it's pretty good that it last at least few days. It can last months or years. FortiGate and Collector (in this case FortiAuthenticator - FAC hereinafter) do keep connection open and sends keep-alive packets every some 10 sec. So they should be connected for ages. Any more recent date mean that there was connection break/problem or unit restart.
Q: service accounts appearing on FGT FSSO user list
A: those will overwrite existing user, making the user changed on related source IP and if there is workstation check, then when action of that service account ends, that user is no longer present on workstation. Normal user can continue working on the workstation, but if there is no further logon event of that regular user, then last seen is that service account user, and workstation check will be looking for that service account. As it will be no longer present/acting then user will not be found and considered as logged off. And FSSO record removed rightfully as accordingly.
Use of fine grained control and service account exclusion is the right way, but has to be done a proper way.
There are actually two different kinds of "excluded user": - A valid user (such as an admin) that logon to a workstation which is previously used by a different user. In this case FAC should logoff the old user because a workstation can have only one logon user at the same time. - A background user (such as a service account) that does not logon to the workstation but just works at background and leaves some trace in event log. In this case such logon event should be totally ignored and not interfere with existing user.
To differentiate these two kinds of "excluded users", in 4.0.1 we allow importing SSO users with either "DN" or "Username": - Import with "DN" and exclude: the logon user will be ignored but the old user will also be logged off. Can be excluded only after LDAP query = slow down LDAP (and previous DNS). - Import with "Username" and exclude: the logon event will be totally ignored and the old user will not be affected. Will be completely excluded even from usual later DNS and LDAP processing.
Therefore from above you should import those service accounts as "Username". So the regular user will be kept logged and not overwritten by background service account.
Those service logons and FSSO user list overwrites seems to me as the most probable source of your issues with FSSO.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your excellent response. So at my current version of FAC I don't have access to this feature. I'll have to upgrade.
I appreciate your help!
Bruce
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, I upgraded to 4.3.3 last night and my problem has gone away. It was a firmware issue all along. Although now I get a notice whenever I open FAC saying "Service Warning: The push notificaction service for FortiToken Mobiles has stopped working on 2017-11-27. Please upgrade the FortiAuthenticator firmware to avoid any service disruptions". My tokens are still working. What's up with this warning?
Related Posts
- LAN Link issues with some devices... 538 Views
- PPPoE not reconnecting. only after reboot 3200 Views
- FSSO User random lose internet connectivity,... 8179 Views
- ... 1745 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
332 -
FortiSwitch
331 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
FortiAuthenticator
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.