DescriptionAccording to the FortiClient 5.4 Administration Guide, the IP address that FortiClientSSO uses should be unique in the entire network.
However, a non unique IP address can be used if a Global Pre-filter is configured in FortiAuthenticator.
Solution1) Create the necessary IP Filtering Rules.
Fortinet FSSO Methods > SSO > IP filtering > create new
Set either IP ranges/subnets that will be included (="only accept these IP ranges/subnets") or set IP ranges/subnets that will be filtered out.
2) Apply the IP filter.
Fortinet FSSO Methods > SSO > FortiGate filtering > edit Global Pre-filter
- Enable IP Filtering.
- Select the created IP filter and save the change.
The change will apply to already listed FSSO sessions (relevant IPs will be filtered out), and to newly arriving logins from FortiClients.
Messages like the ones shown below should start to be seen in the logs:
06/21/2017 10:01:28 [1024583424] FCT LOGON 2017-06-21-10:01:27/1970-01-01-01:00:00 FortiClient wokrstation1.domain.com/192.168.133.21:10.171.0.79:10.108.16.79 DOMAIN.COM/ADUSER2
06/21/2017 10:01:28 [1024583424] FCT 10.171.0.79: logon IP has been filtered from
192.168.133.21:10.171.0.79:10.108.16.79 to 10.171.0.79 by global IP filter
