FortiGate
FSSO
�FSSO Components
Windows domain
controller without
agent (polling)
FortiGate
TCP 445
TCP 8000
TCP 445
Windows server with
collector agent (CA)
UDP 8002
Windows domain
controller with DC agent
UDP 8002
Terminal or Citrix
server with TS agent
�FSSO Modes
DC agent:
o
Logon events pushed to the CA in real-time
Polling:
o
NetAPI
Polls NetSessionEnum API every 9 seconds o WinSecLog:
Polls all security event logs every 10 seconds
Polls can be done directly from the FortiGate (agentless polling) o WMI:
Polls specific security event logs every 3 seconds
�Group Membership Check
Logon
detected
LDAP or API
directory
access
no User group
in cache?
yes
User group no
monitored?
no
Ignore
user?
yes
Discard logon
yes
Send logon to
FortiGate
�Workstation Check
Logon
detected
CA polls known
workstations
basedon the verify interval
WMI mode: Check WMI service
Other modes: Check
the HKEY_USERS
hive via remote registry
services
If workstation is not
responding, it
goes to not
verified status
�IP Address Change Verification
Every verify interval, CA checks
for any IP address change
CA uses DNS to resolve
workstation name
If IP address has changed,
sends
CA
a logoffanda logon, with the new IP
address, to
the FGT
�Additional Requirements
TCP ports 139 and 445 must be open between CA and all
workstations
Remote registry service must be up and running on each
workstation:
o
CA periodically verifies that user is still logged into the workstation
Ensure that workstations have proper DNS registration and it is
updated whenever IP changes
�FSSO Troubleshooting
�Tracking a Specific User
Check which DC recorded the logon event:
o
echo %logonserver% using cmd.exe
Check the logon event using the Windows event viewer
In the CA:
o
Check logs and the list of active FSSO users
Check
that the user group is listed in group filter
FortiGate:
o
Check logs to verify that the logon event was received
Check the list of active FSSO users
o
Generate traffic from the user workstation and verify that
the user is listed
in the FortiGate user monitor
9
�CA to DC Connectivity
10
�DC Logon Events
Use Windows event viewer:
o
Search event IDs 4768, 672, 680 and 4776 with audit success
11
�Common Problems
CA does not have the logon information o
Verify that the CA is monitoring all DCs
o
Check that the CA is receiving logon events from the
DCs o Test the user account and check the CA logs
CA has the logon information, but the
FortiGate does not:
o
Check that the FortiGate is connected to the CA
Run the real-time debugs and test the user account
12
�Common Problems
User is listed as active in the FortiGate but cannot browse
the Internet:
o
o
Check the user IP address in the list of active FSSO users
Check the user group information
Check the firewall
policies o Check the CA logs
FortiGate is randomly blocking some users after some time:
o
Check that the CA service is not crashing o Check for crashes in any of
the FortiGate processes
Check that the connectivity between the
FortiGate and CA is stable o Try to reproduce and check the CA logs
13
�Logon Override
The CA ignores logon events from anonymous accounts and
accounts whose name starts with $
However, some applications generate logon events with different
system accounts, overriding the user logon event: o Microsoft MOM
o
RDP
Solution:
o
Find the account in the CA logs that is triggering the problem o
Add the account to the CA ignore user list
14
�No Internet after IP Address Change
When this problem might happen:
o
Workstation moved between LAN and WiFi
Workstation is back from hibernate mode
Check the workstation name DNS resolution from the CA
The
CA relies on DNS to get accurate IP address
Workaround:
o
Configure FSSO guest users
Set workstation
check and dead entry timers to zero
Solution:
o
Configure workstations to send dynamic updates to
the DNS server
For multi-homed scenarios (both
wired and wireless are UP), DNS server
should be able to return both IP addresses
15
