Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TuncayBAS
Contributor II

When FSSO is disconnected

On a system with FSSO user settings, is it possible for Fortigate to retain the last user logon list that was taken by the FSSO when it was disconnected, and to allow the outputs? When FSSO is disconnected, everyone appears to be a guest.

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi,

actually FortiGate (FGT hereinafter) is retaining the list.

When Collector Agent is seen as disconnected, unreachable, then FSSO user list is retained for 5 minutes before either of following occurrences happen ..

- connection to Collector Agent is re-established

- user list is verified with next Collector Agent in the list (if you do have multiple Collectors inside FSSO Agent on FGT)

- user list is wiped out from FGT

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

TuncayBAS

This 5 minutes, do we have a chance of extension?

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
xsilver_FTNT

Hi,

no direct chance of extending this timer.

It's hardcoded timer for graceful wipe out of the FSSO user list once FGT loose connection to Collector Agent, which is authoritative source of this list, not FGT.

To stop this timer from ticking, to keep users in list, and so keep them seen as authenticated, and so sessions running etc. etc. You 'just' need to make Collector Agent reachable and FGT connected to it again. Simple right ?

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

TuncayBAS

Thank you, but the FSSO connection is on-line with VPN. When the VPN is disconnected, the user list should not be deleted from the FGT until it is back up. Sofos had this setting on the firewall.

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5

Tuncay BAS RZK Muhendislik Turkey NSE 4 5 6 FCESP v5
xsilver_FTNT

Not sure I understand your topology, but ..

- if Collector Agent (and so AD probably) is behind VPN, let's say we talk about user list on FGT which is on branch office, and Collector is behind IPSec VPN to HQ where is AD, LDAP, Collector

- then is this VPN goes down, the Collector in HQ become unreachable, FSSO user list is pending update

- then this FSSO user list will be kept for those 5 minute from time when branch FGT detected that socket and connection to Collector in HQ is down

- after those 5 minutes all the FSSO users known from this, at the moment, unreachable Collector will be removed with all consequences to sessions

 

Not sure how Sofos or other vendors do this or if they keep users as pseudo-authenticated forever. I don't know.

FortiGate has this graceful 5 minutes period and then those users are seen as unauthenticated, as their identity cannot be verified over FSSO anymore.

If this is case and your VPN flaps often and is down for more then 5 minutes, then I'd suggest to have some authentication fallback method.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors