Hot!When FSSO is disconnected

Author
TuncayBAS
Gold Member
  • Total Posts : 211
  • Scores: 16
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
2019/01/23 00:57:28 (permalink) 6.0
0

When FSSO is disconnected

On a system with FSSO user settings, is it possible for Fortigate to retain the last user logon list that was taken by the FSSO when it was disconnected, and to allow the outputs?

When FSSO is disconnected, everyone appears to be a guest.
post edited by TuncayBAS - 2019/01/23 00:58:42

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#1
xsilver_FTNT
Expert Member
  • Total Posts : 402
  • Scores: 79
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: When FSSO is disconnected 2019/01/23 02:00:55 (permalink)
0
Hi,
actually FortiGate (FGT hereinafter) is retaining the list.
When Collector Agent is seen as disconnected, unreachable, then FSSO user list is retained for 5 minutes before either of following occurrences happen ..
- connection to Collector Agent is re-established
- user list is verified with next Collector Agent in the list (if you do have multiple Collectors inside FSSO Agent on FGT)
- user list is wiped out from FGT

Kind Regards,
Tomas
#2
TuncayBAS
Gold Member
  • Total Posts : 211
  • Scores: 16
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
Re: When FSSO is disconnected 2019/01/23 02:07:27 (permalink)
0
This 5 minutes, do we have a chance of extension?

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#3
xsilver_FTNT
Expert Member
  • Total Posts : 402
  • Scores: 79
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: When FSSO is disconnected 2019/01/24 00:08:13 (permalink)
0
Hi,
no direct chance of extending this timer.
It's hardcoded timer for graceful wipe out of the FSSO user list once FGT loose connection to Collector Agent, which is authoritative source of this list, not FGT.
To stop this timer from ticking, to keep users in list, and so keep them seen as authenticated, and so sessions running etc. etc. You 'just' need to make Collector Agent reachable and FGT connected to it again. Simple right ?

Kind Regards,
Tomas
#4
TuncayBAS
Gold Member
  • Total Posts : 211
  • Scores: 16
  • Reward points: 0
  • Joined: 2005/07/01 03:17:46
  • Location: Ankara / Turkey
  • Status: offline
Re: When FSSO is disconnected 2019/01/24 01:15:23 (permalink)
0
Thank you, but the FSSO connection is on-line with VPN. When the VPN is disconnected, the user list should not be deleted from the FGT until it is back up. Sofos had this setting on the firewall.

Tuncay BAS
RZK Muhendislik Turkey
NSE 4 5 6
FCESP v5
#5
xsilver_FTNT
Expert Member
  • Total Posts : 402
  • Scores: 79
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Status: offline
Re: When FSSO is disconnected 2019/01/24 06:15:54 (permalink)
0
Not sure I understand your topology, but ..
- if Collector Agent (and so AD probably) is behind VPN, let's say we talk about user list on FGT which is on branch office, and Collector is behind IPSec VPN to HQ where is AD, LDAP, Collector
- then is this VPN goes down, the Collector in HQ become unreachable, FSSO user list is pending update
- then this FSSO user list will be kept for those 5 minute from time when branch FGT detected that socket and connection to Collector in HQ is down
- after those 5 minutes all the FSSO users known from this, at the moment, unreachable Collector will be removed with all consequences to sessions
 
Not sure how Sofos or other vendors do this or if they keep users as pseudo-authenticated forever. I don't know.
FortiGate has this graceful 5 minutes period and then those users are seen as unauthenticated, as their identity cannot be verified over FSSO anymore.
If this is case and your VPN flaps often and is down for more then 5 minutes, then I'd suggest to have some authentication fallback method.

Kind Regards,
Tomas
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5