Hi There,
We have a problem that started a couple of weeks where the CPU is literally maxing out and when doing a sys diag top, there are two authd processes that are using most of the CPU.
I've tried looking around our FSSO agent to see what could be causing this issue but cant really find anything.
this is on a vdom running 5.6 and its the only vdom on the unit (200D)
we have FSSO agents on two DCs and about 500 users.
Any suggestions?
Hi,
authd serves 2 purposes: - FSSO client (connecting to FSSO CAs)
- serves logon portal on Fortigate (default tcp/1000 and tcp/1003)
Typically such issues are caused by someone who is hammering logon portal with bulk traffic, or the traffic is legit traffic, but it reaches authd portal for i.e. NTLM authentication as the backup for FSSO.
Quick and dirty fix could be to try:
config user setting set auth-blackout-time 5 end
which would prevent IP addresses failed to authenticate to reach logon portal for 5 seconds. Which is usually fair.
Adjust to your liking. It might help immediately, but good would be to look for reasons and hunt the root cause.
hth,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Hi Fishbone,
Thank you for your prompt response, I'm a newbie to FG, is there a log somewhere I can look at that will show the logon portal attempts?
Hi
I did the command as you suggested at it dropped right to nothing, thank you for the help
Hi Fishbone,
Thanks for your answer. I tried 5 secs. initially cpu fell few pts and then came back up. So I change the timeout to 10 secs. Now CPU is oscillating between 60 - 90%. Is there any way to know which ip addresses are doing this incessant authentications.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.