Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lfrancelj
Staff
Staff

Created on ‎11-21-2016 05:04 AM Edited on ‎07-29-2022 06:42 AM By Anonymous

Article Id 191577

Technical Tip: FSSO Collector agent redundancy with two Windows AD and two Fortinet DC Agents

Description


This article describes the configuration of FSSO collector agent redundancy with multiple (two in this example) LDAP Windows AD and two Fortinet DC Agents.
 
The FortiGate will connect to the available FSSO Agent to retrieved Logon list and validate authenticated users.


Both Windows AD are configured to authenticate users logon (Multiple domain controllers).

 

FSSO Collector Agent and DC Agent are installed on each Windows AD server.

Scope

 

FSSO, FortiGate.


Solution

 

Configuration

FSSO Collector Agents listen on TCP port 8000 and UDP 8002, ensuring that Windows Firewall is not blocking these ports.
 
- FortiGate communicates to FSSO CA via TCP port 8000.
- DC Agent communicates to FSSO CA via UDP port 8002.

In this example:
 
- 1st Windows AD IP=10.10.10.1
- 2nd Windows AD IP=10.10.10.2

Install on both Windows ADs the latest FSSO Collector Agent software and DC Agent, and follow these four steps:

1) FSSO Collector Agent software installation.

Select Next and Install, it will then launch the 'DC Agent Install Wizard'.

frottier_FD39911_tn_FD39911-1.jpg
frottier_FD39911_tn_FD39911-3.jpg
2) DC Agent software installation software.

Accept default values, select Next, then select the Domain to monitor and any Users that are not to be monitored, then leave default for DC Agent Working Mode, select Finish.

frottier_FD39911_tn_FD39911-4.jpg

3) DC Agent Configuration Utility software installation.

Select Next, then list both IPs where the two Collector Agent are installed.

frottier_FD39911_tn_FD39911-5.jpg

Select Next, Install and Finish.

Both DC Agents are now configured to send logon events to both Collector Agents.  This can be checked with the DC Agent Configuration Utility GUI.

frottier_FD39911_tn_FD39911-7.jpg

It can also be checked by looking at the following registry key:

frottier_FD39911_tn_FD39911-8.jpg

Diagram

FortiGate <---> FSSO CA <---> DC Agents <---> WINDOWS AD
 
4) For certain IP addresses to be excluded from polling or DCAgent (no effect for TSAgent) use the following registry key:
 
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent
 
(Only IP addresses can be added to this list, adding IP ranges/subnets is not yet supported).
 
Value name: 'dc_agent_ignore_ip_list'.
Value data: semicolon-separated list of IPs to ignore by the Collector Agent.
 
 
 
In this example of 'dc_agent_ignore_ip_list' the logon events reported to the DCs 10.10.10.1 and 10.10.10.2 will be ignored.
 
 
 
Verification of Configuration and troubleshooting

The FortiGate is configured with a list of available FSSO CAs as shown below.
 
 
npaiva_0-1659099431528.png
 
 
# config user fsso
edit "DC-1"
        set server "10.10.10.1"
        set password ENC ***
        set server2 "10.10.10.2"
        set password2 ENC ***
    next
end
 
The FortiGate is configured with a list of LDAP Servers as shown below.
 
# config user ldap
    edit "WindowsAD-1"
        set server "10.10.10.1"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
    edit "WindowsAD-2"
        set server "10.10.10.2"
        set cnid "cn"
        set dn "test.net"
        set type regular
        set username "admin"
        set password ENC ***
    next
    next
end
 
The FortiGate will connect to the first available FSSO CA to retrieve Logon events.
 
If this FSSO CA fails, it will connect to the next available in the list, and so on.
 
There is no primary-backup mechanism in FortiGate-FSSO CA relationship.
 
Other FSSO collector agents are used as fail-over in case if the first configured is not available.
 
In the FSSO Collector Agent 'Show Service Status' the FortiGate serial number and IP Address are visible.
 
In the FSSO Collector Agent 'Show Monitor DC' are showing both DC Agent IPs with the last KEEPALIVE packets received from DCs.
 
 
 
 
Debugging can be turned on: log level set to debugging, log file size to 100MB (max 1024MB).
Logs are stored in the program directory.

Useful commands to troubleshoot on FortiGate:

List FSSO logon user on the FortiGate.
 
# diag debug authd fsso list
 
List authenticated users on the FortiGate.
 
# diag firewall auth list
 
List connected FSSO CA.
 
# diag debug reset
# diag debug enable
# diag debug authd fsso server-status
 
Debugging authentication process*.
 
# diag debug reset
# diag debug console timestamp enable
# diag debug application authd -1
# diag debug application fnbamd -1
# diag debug enable
 
Stop debugging output.
 
# diag debug reset
# diag debug disable
 
*By default debugging is enabled for 30 minutes.
 

Related Articles

Technical Tip: Excluding IP addresses from FSSO logon events

Labels:
70977
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.