FortiGate units ship with a baud rate of 9600 by default. If you have access, parse an archived configuration file for the term baudrate or verify this setting with the CLI command:
config system console get
A. Initial information gathering
1 Is the Collector Agent (CA) connected? The best way to verify this is with the CLI commands
diagnose debug enable
diagnose debug authd fsso server-status
• If it is connected, go to D. The CA is connected.
• If not, continue on.
2 Is the CA running? Check by going to Administrative Tools > Services > Check the
‘Fortinet Server Authentication Extention’ Service.
• If the CA is running but not connected, go to step 1.
• If the CA is not running, go to B. The CA is not running and not connected.
B. The CA is not running and not connected
1 Is the CA running as admin? Go to Administrative Tools > Services > Check the
‘Fortinet Server Authentication Extention’ Service and see if it is using a domain administrator account. If not change the account.
2 Is the CA able to bind to socket? FSSO uses ports 8000 and 8002. If the ports are not available the service will not start. Check the CA logs to verify this, and stop the other application.
3 In general, checking the CA logs will show any other errors that are preventing the collector agent from starting.
4 Once CA is running if problems continue, go to A. Initial information gathering step 2.
C. The CA is running but not connected
1 Is the password correct? If not, reset the password
2 Is there a device filtering traffic? If so, change it to allow TCP port 8000.
3 If problems continue use the following CLI diag command to find more information.
diag debug enable
diag debug application authd 8256
4 Once CA is running and connected if problems continue, go to A. Initial information gathering step 2.
D. The CA is connected
1 Are you seeing groups on the FortiGate?
If not, check the group filter on the CA.
2 Are the FortiGate and CA groups using the same mode? If not, change the modes to match.
3 Are you seeing logon events on the FortiGate unit? You can check this with the following CLI commands.
diagnose debug enable
diagnose debug authd fsso list
• If there are any users logged in, go to step .
• Otherwise, continue on.
4 Are DC agents installed on all Domain Controllers? If not install the DC Agents.
5 Are you using an LDAP server on the FSSO connector?
• To check go to User > Directory Service > Edit FSSO connector > LDAP.
• If an LDAP server is configured, disable it and go to step 3.
• If there is no LDAP server configured, contact support and open a support ticket.
E. There are at least some users logged on
1 Focus on a single ‘test’ user for farther troubleshooting. The information to collect about the ‘test’ user is:
• Account username of the user currently logged in
• IP address of the test host — you can run ipconfig to get the IP of the host
• Host DNS name — you can run hostname to get the host name.
• Logon server name, the domain controller the host used to authenticate — to get this, run echo %logonserver%.
2 Once you have the information about the test host, run the following CLI commands on the FortiGate unit.
diagnose debug enable
diagnose debug authd fsso list
• If the user is not in the list, got to F. Test user does not appear on the FSSO list.
• If the user appears in the list, continue on.
3 Does the user have the correct IP address? If not, check the DNS settings on the DNS server. If a computer has two network interfaces (multi-homed) traffic may get mixed up and go out the wrong interface.
4 Does the user have the correct groups? If not, disable group caching on the CA.
5 If all else appears okay, check the order of the security policies. Only the first authenticated group is allowed through, which may be the wrong policy.
6 If problems continue, contact support and open a support ticket.
F. Test user does not appear on the FSSO list
If the user did not appear in the FSSO list, run through the following checklist.
Is the user IP showing up with a service account?
If yes, add the user to the ignore list.
Has the user been moved to a new group recently?
If yes, disable group caching.
If the user is in the CA log:
Were there any DNS errors in the CA for the host name?
These include the collector agent unable to resolve the host name at all or resolving to an incorrect IP.
If yes, check the DNS server.
Did the user time out? If the CA logs show the user timed out, the collector agent was not able to connect to the host on port 139
& 445 to verify the user.
If the user is not in the CA log:
Check the logon server. Check which domain controller authenticated the host (run echo %logonserver% on the host) and
troubleshoot that domain controller.
Does the logon server have the DC agent installed?
If not, install the DC agent.
If it is installed, enable logging on the DC agent on the logon server. Use the logs produced for farther troubleshooting.
Appendix
Document conventions
Fortinet technical documentation uses the conventions described below.
IPv4 IP addresses
To avoid publication of public IPv4 IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
IP addresses are made up of A.B.C.D:
• A - can be one of 192, 172, or 10 - the private addresses covered in RFC 1918.
• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
• Device or virtual device - allows multiple FortiGate units in this address space (VDOMs).
• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one on the same subnet
• 001 - 099- physical address ports, and non -virtual interfaces
• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
• D - usage based addresses, this part is determined by what the device is doing. The following gives 16 reserved, 140 users, and 100 servers in the subnet.
• 001 - 009 - reserved for networking hardware, like routers, gateways, etc.
• 010 - 099 - DHCP range - users
• 100 - 109 - FortiGate devices - typically only use 100
• 110 - 199 - servers in general (see later for details)
• 200 - 249 - static range - users
• 250 - 255 - reserved (255 is broadcast, 000 not used)
• The D segment servers can be farther broken down into:
• 110 - 119 - Email servers
• 120 - 129 - Web servers
• 130 - 139 - Syslog servers
• 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
• 150 - 159 - VoIP / SIP servers / managers
• 160 - 169 - FortiAnalyzers
• 170 - 179 - FortiManagers
• 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
• 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
• Fortinet products, non-FortiGate, are found from 160 - 189.
Example Network
Variations on network shown in Figure 17 are used for many of the examples in this document. In this example, the 172.20.120.0 network is equivalent to the Internet. The network consists of a head office and two branch offices.
Figure 17: Example network
Tips, must reads, and troubleshooting
Typographical conventions
Table 8: Example IPv4 IP addresses
Location and device Internal Dmz External
Head Office, one FortiGate 10.11.101.100 10.11.201.100 172.20.120.191 Head Office, second Office 7, one FortiGate with
9 VDOMs
10.79.101.100 10.79.101.100 172.20.120.194
Office 3, one FortiGate, web server
n/a 10.31.201.110 n/a
Bob in accounting on the corporate user network (DHCP) at Head Office, one FortiGate
10.0.11.101.200 n/a n/a
Router outside the FortiGate
n/a n/a 172.20.120.195
A Tip provides shortcuts, alternative approaches, or background information about the task at hand. Ignoring a tip should have no negative consequences, but you might miss out on a trick that makes your life easier.
A Must Read item details things that should not be missed such as reminders to back up your configuration, configuration items that must be set, or information about safe handling of hardware. Ignoring a must read item may cause physical injury, component damage, data loss, irritation or frustration.
A Troubleshooting tip provides information to help you track down why your configuration is not working.
Table 9: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box, field, or check box label
From Minimum log level, select Notification.
CLI input
Registering your Fortinet product
Access to Fortinet customer services, such as firmware updates, support, and
FortiGuard services, requires product registration. You can register your Fortinet product at http://support.fortinet.com.
Training Services
Fortinet Training Services offers courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet training programs serve the needs of Fortinet customers and partners world-wide.
Visit Fortinet Training Services at http://campus.training.fortinet.com, or email [email protected].
Technical Documentation
Visit the Fortinet Technical Documentation web site, http://docs.fortinet.com, for the most up-to-date technical documentation.
The Fortinet Knowledge Base provides troubleshooting, how-to articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at
http://kb.fortinet.com.
Comments on Fortinet technical documentation
Send information about any errors or omissions in this or any Fortinet technical document to [email protected].
Customer service and support
Fortinet is committed to your complete satisfaction. Through our regional Technical Assistance Centers and partners worldwide, Fortinet provides remedial support during the operation phase of your Fortinet product's development life cycle. Our Certified Support Partners provide first level technical assistance to Fortinet customers, while the regional TACs solve complex technical issues that our partners are unable to resolve.
Visit Customer Service and Support at http://support.fortinet.com.
Emphasis HTTP connections are not secure and can be intercepted by a third party.
File content
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
Table 9: Typographical conventions in Fortinet technical documentation
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
Index
Internet Control Message Protocol (ICMP), 86 Internet Traffic Management Practices (ITMP), 101 introduction
Fortinet documentation, 192
IP address
alert email did not send, 114 cannot log to log device, 114
FortiGate stopped recording logs, 114 Network Time Protocol (NTP), 32, 57 no SYN-ACK, 39
Single instruction, multiple data (SIMD), 126 sniffer, verbosity level, 93
time to live (TTL), 87, 162 TIME_WAIT, 157
tracert (traceroute), 87, 88 traffic shaping, 101 Training Services, 192
troubleshooting, 75
alert email did not send, 114 cannot log to log device, 114 debug packet flow, 94
diagnose commands, 100, 115 firewall session list, 99
FortiGate stopped logging, 114 packet sniffing, 92
ping, 85 routing table, 90 traceroute, 85 traffic shaping, 101
U
UDP, 11
V
VDOM, 29, 44, 45, 98, 103, 117 Verifications of IP options, 16 vpn
error no SA proposal, 112 initiator, 112
P1 proposal, 112 R U THERE, 112
W
Wireshark, 80