FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 196153
Description
In some situations, an Active Directory Service Account can log on to a domain's PC while the user was already logged on, and therefore create a log off and a new (undesired) log-on event that the Fortinet FSSO collector agent forwards to the FortiGate.

As a consequence, since this Service Account would generally not belong to the same groups as users defined in FortiGate user groups, the actual user would get an authentication issue. Users traffic would be blocked by FortiGate unit and the browser could display the FortiGate message "Authentication failure".

Here is an example of how the problem can be diagnosed:

1. Once the user USER_1012 logs on to a domain, the Fortinet FSSO Collector Agent will inform the Fortigate :

FGT # diagnose debug application authd -1
FGT # diagnose debug enable

FGT # _process_logon[FSSO]: USER_1012(10.1.1.5) logged on with session id(0), port_range_sz=0
_process_logon-722: can not find such a user, try to add it


FGT # diagnose debug authd fsso list
----FSSO logons----
IP: 10.1.1.5  User: USER_1012  Groups: USER/PARTIAL_RIGHTS  MemberOf: 5
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----
 
 
2. Now a few minutes later, a Service Account also logs on the PC to perform some administrative tasks, and this is immediately reported by the Fortinet FSSO Collector Agent to the FortiGate:

FGT # _event_read[FSSO]: received heartbeat 100185
[fsae_db_logoff_user:427]: vfid 0, ip 10.1.1.5, USER_1012, sesion id(0),port_range_sz(0)
_process_logoff[FSSO]: USER_1012 logged off
reset_policy_timeout: clearing policy for 10.1.1.5 session_id=0, vfid=0
_event_read[FSSO]: received heartbeat 100187


FGT # diagnose debug authd fsso list
IP: 10.1.1.5  User: ADM_FWCHECK  Groups: FW_OPERATORS/ADMINISTRATORS


At this point, when the traffic from 10.1.1.5 arrives on the FortiGate, the identity based policy will not be matched since it does not contain the group FW_OPERATORS/ADMINISTRATORS, and the user's traffic would be blocked.

Scope
FortiGate FortiOS
Solution
All appropriate Service Accounts that may generate logoff/logon events need to be added on the "Set Ignore User List" of the Fortinet FSSO Collector Agent.
Contributors