fsso_info
DESCRIPTION
FSSO_InfoTRANSCRIPT
1
FortiGate
FSSO
2
FSSO Components
Windows domain controller without
agent (polling)
Windows domain controller with DC agent
Terminal or Citrix server with TS agent
Windows server with collector agent (CA)
FortiGate
TCP 8000
UDP 8002
TCP 445
TCP 445
UDP 8002
3
FSSO Modes
• DC agent:
o Logon events pushed to the CA in real-time
• Polling:
o NetAPI
• Polls NetSessionEnum API every 9 seconds o WinSecLog:
• Polls all security event logs every 10 seconds
• Polls can be done directly from the FortiGate (agentless polling) o WMI:
• Polls specific security event logs every 3 seconds
4
Group Membership Check
Logon
detected
Ignore
user?
Discard logon
User group
in cache?
LDAP or API
directory
access
User group
monitored?
Send logon to
FortiGate
yes
n o n o
yes
no
yes
5
Workstation Check
Logon
detected
CA polls known workstations
based on the verify interval
WMI mode: Check WMI service
Other modes: Check the HKEY_USERS
hive via remote registry services
If workstation is not responding, it
goes to “not verified” status
6
IP Address Change Verification
Every verify interval, CA checks
for any IP address change
CA uses DNS to resolve
workstation name
If IP address has changed, CA sends
a logoff and a logon, with the new IP
address, to the FGT
7
Additional Requirements
• TCP ports 139 and 445 must be open between CA and all
workstations
• Remote registry service must be up and running on each
workstation:
o CA periodically verifies that user is still logged into the workstation
• Ensure that workstations have proper DNS registration and it is
updated whenever IP changes
8
FSSO Troubleshooting
9
Tracking a Specific User
• Check which DC recorded the logon event:
o echo %logonserver% using cmd.exe
• Check the logon event using the Windows event viewer •
In the CA:
o Check logs and the list of active FSSO users o Check
that the user group is listed in “group filter”
• FortiGate:
o Check logs to verify that the logon event was received o
Check the list of active FSSO users
o Generate traffic from the user workstation and verify that
the user is listed
in the FortiGate user monitor
10
CA to DC Connectivity
11
DC Logon Events
• Use Windows event viewer:
o Search event IDs 4768, 672, 680 and 4776 with audit success
12
Common Problems
• CA does not have the logon information o
Verify that the CA is monitoring all DCs
o Check that the CA is receiving logon events from the
DCs o Test the user account and check the CA logs
• CA has the logon information, but the
FortiGate does not:
o Check that the FortiGate is connected to the CA o
Run the real-time debugs and test the user account
13
Common Problems
• User is listed as active in the FortiGate but cannot browse
the Internet:
o Check the user IP address in the list of active FSSO users
o Check the user group information o Check the firewall
policies o Check the CA logs
• FortiGate is randomly blocking some users after some time:
o Check that the CA service is not crashing o Check for crashes in any of
the FortiGate processes o Check that the connectivity between the
FortiGate and CA is stable o Try to reproduce and check the CA logs
14
Logon Override
• The CA ignores logon events from anonymous accounts and
accounts whose name starts with ‘$’
• However, some applications generate logon events with different
system accounts, overriding the user logon event: o Microsoft MOM
o RDP
• Solution:
o Find the account in the CA logs that is triggering the problem o
Add the account to the CA ignore user list
15
No Internet after IP Address Change
• When this problem might happen:
o Workstation moved between LAN and WiFi o
Workstation is back from hibernate mode
• Check the workstation name DNS resolution from the CA o The
CA relies on DNS to get accurate IP address
• Workaround:
o Configure FSSO guest users o Set workstation
check and dead entry timers to zero
• Solution:
o Configure workstations to send dynamic updates to
the DNS server o For multi-homed scenarios (both
wired and wireless are UP), DNS server
should be able to return both IP addresses