FSSO Flashcards
(15 cards)
FSSO Modes:
Agent Based: Login events pushed to the collector agent in real time.
Agentless -
NetAPI: Polls NetSessionEnum API
WinSecLog: Polls all security event logs. Polls can be done directly from FGT.
WMI: Polls specific security event logs
Default Ports for FSSO communications:
For polling (agentless), TCP 445
For Agent, TCP port 8000 is used between the collector agent and FGT. Communication between DCs and collector agent or TS agent is UDP 8002
FSSO identifies each user based on IP address, but if users have matching IP addresses, can install a Terminal Server (TS) Agent to provide both IP address and port to identify users.
Group Membership Check in FSSO
Login Detected -> Ignore list check -> user group cache check?
If not, use LDAP or API for directory access. Once identified
->User Group Monitored?
If not, discard. If yes, send to FGT.
Tracking a Specific User FSSO login
Perform the login
Check which DC recorded the login event using windows command: echo %logonserver%
Check the login event using the windows event viewer.
In the collector agent, check logs and list of active FSSO users. Check that the user group is listed in the group filter.
On FGT:
Check logs to verify login event was received.
Check the list of active FSSO users
Generate traffic from user workstation and verify user is listed in User monitor.
How to check FGT to Collector Agent Connectivity
Click Show Service Status on the Agent GUI
can also run command on FGT:
diagnose debug application authd 8256
Heartbeats are sent between the two and can be seen in logs on both sides.
Collector Agent Errors and causes
server authentication failed, aborting:
indicates a mismatch in password
connection refused:
TCP communication is blocked by a firewall or another device
No route to host: IP address of the agent is not routable from FGT
CLI Command to list active FSSO users
diagnose debug authd fsso list
Other FSSO debug commands:
get user adgrp: list the monitored groups
diagnose debug authd fsso ()
refresh-logons: resend the active users list to FGT
clear-logons: clear login information in FGT. Users must log off/on
refresh-groups: resend monitored groups list to FGT
Windows Commands to troubleshoot FSSO
on cmd.exe
to Query the DN from the LDAP server: dsquery user -name (username)
can add to see group memberships: | dsget user -memberof
to see who is logged into the workstation: wmic
to check if port 8000 is open:
netstat -a o n
Agentless polling debug CLI command
diagnose debug fsso-polling detail - shows status and stats
diagnose debug fsso-polling refresh-user - flushes info about all active FSSO users. Need to re-logon
diagnose sniffer packet any ‘host (IP) and tcp port 445’ - sniff for polls
Agentless Polling daemon
fssod
useful for real time debug command
Common real time debug errors
failed to resolve server(servername) - FGT cannot resolve AD server name
Please sync the time of FGT and AD server
No memory alloc - Check FGT memory
DNS Resolution Error:
DNS cannot resolve the workstation name and collector agent log shows:
failed to resolve workstaion name to ip: (workstation host name)
DnsQuery() failed for (workstation host name), error code:9003
Login Override Issue
Collector Agent ignores login eventrs from anonymous accounts and accounts with names starting with ‘$’
Some applications generate login events with different system accounts, overriding the user login event (Microsoft MOM, RDP)
Solution: Find the account in the collector agent logs that is overriding the user and add it to the ignore user list
Common Problem: Not Verified Status on the Collector Agent
Collector Agent cannot verify if the user is still logged in
and logs show:
failed to connect to workstation / failed to connect to registry: (workstation name and IP)
Common causes:
firewall is blocking ports 139 and 445
Workstation remote registry service is not running
