Hot!FSSO polling mode - can’t see user logins

Author
Farroo
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/22 10:02:50
  • Status: offline
2019/06/23 11:29:15 (permalink)
0

FSSO polling mode - can’t see user logins

Hi,
We have a situation where we have setup ldap correctly and able to browse user directory, all groups etc showing as expected.
Problem we have seen is any users logged in- not seeing by the firewall.
There are no antivirus/firewall port blocks on the AD server, and an adminaccount used for polling.
Firewall debug showing sent login info packet 1 and no login info received packets
This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version.
Wondering if anyone else come across this before and share some pointers?
We think its an issue on AD server but not wnough substance to prove it back to the end user.
Thanks.
#1

11 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2019/06/24 01:55:37 (permalink)
    0
    Hi Farroo,
    unfortunately it's not clear, at least to me, what sort of authentication you are trying to do/have.
    Is it LDAP based auth, or FSSO ?  If FSSO then are you polling DC(s) directly from FortiGate or do you use Colelctor Agent installed on one of DCs (preferred option) ?

    Kind Regards,
    Tomas
    #2
    Farroo
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/22 10:02:50
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2019/06/24 12:56:20 (permalink)
    0
    Sorry xsilver, I thought I mentioned fsso..
    polling mode on fortigate and no agent on dc- we have a number of other cust exactly the same setup, just having issues with this one and unable to prove its an issue with ad.
    We have setup the ldap server, on fortigate, then fsso using that server, able to browse advserver can see groups users etc, but not seeing any user logins.
    Acc on ad is admin and it can read user login events.
    Don’t know where else to look...
    #3
    Alivo_ FTNT
    Platinum Member
    • Total Posts : 89
    • Scores: 42
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2019/06/26 02:19:56 (permalink)
    0
    Hello Farroo,
    first about the 5.2.10
    ("This is a 300e firewall in vdom mode- unfortunately running 5.2.10 which we cant upgrade just on the sly as it does have other live customers and fortinet tac not helping as its out dated version.")
     
    FortiGate is a security device and its purpose is to protect. Old firmware versions, that are note supported anymore,  can be (are) vulnerable to various vulnerabilities. Insecure security device loses it's purpose. Firmware needs to be up to date.
     
    To the FSSO issue > which AD version customer has?
    Do you monitor user groups who's users logons are expected to be seen?
    Which Windows Security Logon Events are generated by users logons?
     
    Alivo
     
     
    #4
    catalinv
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/15 06:08:40
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2019/10/24 00:29:37 (permalink)
    0
    Hi everyone, 
    I have the same problem - not seeing logged on users in Fortigate.
    I'm in testing mode for now: one DC, and using my domain user for testing traffic. 
    I have a 200E and firmware v5.6.5 build1600.
    I configured LDAP server and SSO, I can see the AD tree and select my user - that has been added to the user group I use on the policy.
    The domain user I'm using to configure LDAP and SSO, is not a domain admin - should it be?
    I see no message in CLI with debug commands.
     
    FW # diagnose debug authd fsso server-status
     
    FW # 
    Server Name      Connection Status     Version               Address
    -----------      -----------------     -------               -------
    Local FSSO Agent            connected         FSAE server 1.1       127.0.0.1
     
    FW # diagnose debug authd fsso list
    ----FSSO logons----
    Total number of logons listed: 0, filtered: 0
    ----end of FSSO logons----
     
    The traffic is not matching my policy, there is no hit.
    As far as I understand there is no need to install FSSO Collector on a domain server for polling mode configuration.
     
    thank you,
    have a nice day,
    Catalin
    #5
    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/06 01:39:57 (permalink)
    0
    Hi Catalin,
    FortiGate can poll DCs for logon events directly, however standalone Collector Agent offers much more.
     
    To debug local polling from FortiGate ..
     
    2. do you see any users or you see 0 user ?
    FGT-VM64-1 (root) # diag debug fsso-polling user
    FSSO: vd index(0), AD_Server(192.168.32.21), Users(0)
    3. if zero users, what is the poller status ?
    do you have AD connected ?
    do you have successful pollings ?
    does your user in AD fit in group filter ?
    FGT-VM64-1 (root) # diagnose debug fsso-polling detail
    AD Server Status:
    ID=1, name(192.168.32.21),ip=192.168.32.21,source(security),users(0)
    port=auto username=Administrator
    read log offset=1370140, latest logon timestamp: Wed Jun 4 15:43:25 2014
    polling frequency: every 10 second(s) success(5043), fail(0)
    LDAP query: success(0), fail(0)
    LDAP max group query period(seconds): 0
    Total max polling period(seconds): 1
    most recent connection status: connected
    Group Filter:
    CN=group1,CN=Users,DC=XSILAB,DC=int+CN=group2,CN=Users,DC=XSILAB,DC=int

    4. check security log on DC/AD
    try to log off and log in with test (known) user account from test workstation (known NetBIOS name and IP .. from ipconfig /all).
    do you see user logon events ?
    what eventID do you see, are those eventID in the list below so FSSO poller can read those ?
    We mostly use Kerberos logon events as they contain all the info we need, we do not monitor all logon eventIDs as not all of them contain required info about user and workstation.
    For Win2K8 we use EventID: 4768, 4769, 4776 and for Win2K3 EventID: 672, 673, 680.
     

    Kind Regards,
    Tomas
    #6
    nbctcp
    Silver Member
    • Total Posts : 93
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/03/05 04:48:26
    • Location: Indonesia
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/24 14:55:01 (permalink)
    0
    I encounter same issue as yours if using "Fabric Connectors/Poll Active Directory Server" on 6.2.3
    Once I change to "Fabric Connectors/Fortinet Single Sign-on Agent"
    I don't have any problem at all, but you must upgrade your OS to 6.2.3
     
    #7
    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/25 01:38:52 (permalink)
    0
    Local polling from FortiGate is quite different then standalone Collector Agent.
    Differences has been discussed here in forum many times.
    KB with short differences is here https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD38897

    Kind Regards,
    Tomas
    #8
    Alivo_ FTNT
    Platinum Member
    • Total Posts : 89
    • Scores: 42
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/26 02:18:22 (permalink)
    5 (1)
    @nbctcp

    You can try to read outputs of:
     
    di de application fssod -1
    di de application smbcd -1

    when you login to domain with your user.


    Best Regards,
    Alivo
     
    #9
    nbctcp
    Silver Member
    • Total Posts : 93
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/03/05 04:48:26
    • Location: Indonesia
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/26 18:57:32 (permalink)
    0
    SW INFO:
    -FORTIOS 6.2.3 kvm eval key
    -WIN2008 as AD Server
     
    STATUS:
    -Security Fabric/Fabric Connectors/Active Directory Connector shown red arrow down
     
    # di de application fssod -1
    # di de application smbcd -1
    Debug messages will be on for 30 minutes.
    FGT1 # smbcd: daemon debug level set to [16777215]
    smbcd: SMB library debug level set to [8]
    smbcd: smbcd_process_request:968 got cmd id: 6
    smbcd: smbcd_process_request:981 got rpc log field.
    smbcd: smbcd_process_request:993 got rpc username: administrator
    smbcd: smbcd_process_request:999 got rpc password: XXXXXXXX
    smbcd: smbcd_process_request:1003 got rpc port: 0
    smbcd: smbcd_process_request:1009 got rpc logsrc: security
    smbcd: smbcd_process_request:987 got rpc server: 10.0.3.2
    smbcd: smbcd_process_request:1036 got VFID, 0
    smbcd: smbcd_process_request:1140 got rpc eventlog read command
    smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED)
    smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source
    [handle_reply:491] wrong format of data status. len 8 <> 4.
     
    config user ldap
    edit "DC1"
    set server "10.0.3.2"
    set cnid "cn"
    set dn "dc=ngtrain,dc=com"
    set type regular
    set username "cn=administrator,cn=users,dc=ngtrain,dc=com"
    set password Password
    next
    end
    config user fsso
    edit "Local FSSO Agent"
    set server "127.0.0.1"
    next
    edit "DC1"
    set server "10.0.3.2"
    set password Password
    next
    end
    config user fsso-polling
    edit 1
    set server "10.0.3.2"
    set user "administrator"
    set password Password
    set ldap-server "DC1"
    config adgrp
    edit "CN=HR,CN=Users,DC=ngtrain,DC=com"
    next
    edit "CN=IT,CN=Users,DC=ngtrain,DC=com"
    next
    edit "CN=SALES,CN=Users,DC=ngtrain,DC=com"
    next
    end
    next
    end
     
    Pavel_Livonec_FTNT
    @nbctcp

    You can try to read outputs of:
     
    di de application fssod -1
    di de application smbcd -1

    when you login to domain with your user.


    Best Regards,
    Alivo
     




    #10
    Alivo_ FTNT
    Platinum Member
    • Total Posts : 89
    • Scores: 42
    • Reward points: 0
    • Joined: 2013/04/30 12:42:47
    • Location: Fortinet TAC Prague
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/27 02:49:21 (permalink)
    5 (1)
    Hello,
     
    The answer is probably here: 
     
    got rpc eventlog read command
    smbcd: rpccli_eventlog_open:121 /Chroot_Build/19/SVN_REPO_CHILD/FortiOS/fortinet/daemon/smbcd/smbcd_eventlog.c-121: connect err(NT_STATUS_NOT_SUPPORTED)
    smbcd: rpc_cmd_eventlog_read:919 open rpc err(10.0.3.2:administrator:0) from security log!, Please check correct server name, user name, password, port and log source
     
    Often, the issue is that the user used in the fsso configuration does not have sufficient rights to read event log. Fastest check would be to use domain admin with correct password.
     
    Best Regards,
    Alivo
    #11
    nbctcp
    Silver Member
    • Total Posts : 93
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/03/05 04:48:26
    • Location: Indonesia
    • Status: offline
    Re: FSSO polling mode - can’t see user logins 2020/02/27 19:54:49 (permalink)
    0
    SW INFO:
    -Windows Server 2008R2
     
    STATUS: working.
    I am login as domain administrator and these need to be changed on GPO
     
    DC1
    type gpmc on cmd
    right click Edit on Forest: domain.com/Domains/domain.com/Default Domain Policy
    click Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Logon

    Change these to Success
    Audit Credential Validation
    Audit Kerberos Authentication Service
    Audit Kerberos Service Ticket Operations
    #12
    Jump to:
    © 2020 APG vNext Commercial Version 5.5