FortiGate

FSSO

FSSO Components
Windows domain
controller without
agent (polling)

FortiGate
TCP 445

TCP 8000
TCP 445
Windows server with
collector agent (CA)

UDP 8002

Windows domain
controller with DC agent

UDP 8002

Terminal or Citrix
server with TS agent

FSSO Modes
DC agent:
o

Logon events pushed to the CA in real-time

Polling:
o

NetAPI
Polls NetSessionEnum API every 9 seconds o WinSecLog:
Polls all security event logs every 10 seconds
Polls can be done directly from the FortiGate (agentless polling) o WMI:
Polls specific security event logs every 3 seconds

Group Membership Check

Logon
detected

LDAP or API
directory
access

no User group

in cache?
yes

User group no
monitored?

no

Ignore
user?
yes

Discard logon

yes

Send logon to
FortiGate

Workstation Check
Logon
detected

CA polls known
workstations
basedon the verify interval

WMI mode: Check WMI service

Other modes: Check
the HKEY_USERS
hive via remote registry
services

If workstation is not
responding, it
goes to not
verified status

IP Address Change Verification

Every verify interval, CA checks
for any IP address change

CA uses DNS to resolve

workstation name

If IP address has changed,

sends
CA
a logoffanda logon, with the new IP
address, to
the FGT

Additional Requirements
TCP ports 139 and 445 must be open between CA and all
workstations
Remote registry service must be up and running on each
workstation:
o

CA periodically verifies that user is still logged into the workstation

Ensure that workstations have proper DNS registration and it is

updated whenever IP changes

FSSO Troubleshooting

Tracking a Specific User

Check which DC recorded the logon event:
o

echo %logonserver% using cmd.exe

Check the logon event using the Windows event viewer

In the CA:
o

Check logs and the list of active FSSO users

Check

that the user group is listed in group filter

FortiGate:
o

Check logs to verify that the logon event was received

Check the list of active FSSO users

o

Generate traffic from the user workstation and verify that

the user is listed
in the FortiGate user monitor
9

CA to DC Connectivity

10

DC Logon Events
Use Windows event viewer:
o

Search event IDs 4768, 672, 680 and 4776 with audit success

11

Common Problems
CA does not have the logon information o
Verify that the CA is monitoring all DCs
o

Check that the CA is receiving logon events from the

DCs o Test the user account and check the CA logs

CA has the logon information, but the

FortiGate does not:
o

Check that the FortiGate is connected to the CA

Run the real-time debugs and test the user account

12

Common Problems
User is listed as active in the FortiGate but cannot browse
the Internet:
o
o

Check the user IP address in the list of active FSSO users

Check the user group information

Check the firewall

policies o Check the CA logs

FortiGate is randomly blocking some users after some time:

o

Check that the CA service is not crashing o Check for crashes in any of

the FortiGate processes

Check that the connectivity between the

FortiGate and CA is stable o Try to reproduce and check the CA logs

13

Logon Override
The CA ignores logon events from anonymous accounts and
accounts whose name starts with $
However, some applications generate logon events with different
system accounts, overriding the user logon event: o Microsoft MOM
o

RDP

Solution:
o

Find the account in the CA logs that is triggering the problem o

Add the account to the CA ignore user list

14

No Internet after IP Address Change

When this problem might happen:
o

Workstation moved between LAN and WiFi

Workstation is back from hibernate mode

Check the workstation name DNS resolution from the CA

The

CA relies on DNS to get accurate IP address

Workaround:
o

Configure FSSO guest users

Set workstation

check and dead entry timers to zero

Solution:
o

Configure workstations to send dynamic updates to

the DNS server

For multi-homed scenarios (both

wired and wireless are UP), DNS server

should be able to return both IP addresses
15