Troubleshooting FSSO connexion on Fortigate

In this post, I will write about an issue I was facing off during a Fortigate Firewall migration.

Customer had already FSSO “working” (in fact not) and we had to replace old fortigate in 5.2 version to new one in 6.0 version. Not a big deal but FSSO was not working. Connexion between agent was down, and connexion between FGT and collector was down too.

FSSO is used to transparently authenticate user and allow thm to access some network ressources through firewall policy rules.

First problem was between agent and collector. Technical support assisted us about that. In fact it was just that the account used between collector and agent must be an administrator. It is writed during the installation, but you can miss the point. In Collector logfile, you have something like this :

10/04/2019 03:42:32 [ 3476] ad_user_get_groups error:
FSSO account requirement

If you want to go further about the right privileges you have to provide for this account, go here.

For the second issue, Fortigate was not able to connect to the collector. Collector logfile indicates :

10/09/2019 14:47:11 [  828] Connection to FGT on socket (5476) closed. return code:-1 last error:10054
10/09/2019 14:47:12 [ 828] FortiGate: on socket (5476) disconnected

It was the passphrase between Fortigate and Collector that cause the problem. It seems it don’t like the @ or !. We changed the password and all was working fine.

You have also to check the opened port between fortigate and collector, then between collector and agent (8000 and 8002). In my case, Wireshark told us there was no problem at all for this point.

Author: Kévin SAS

I am Kévin SAS and live in France. I am an engineer in network and security. I worked for a lot of customers in these domains : Wireless, LAN, Datacenter, VoIP with several brands like Cisco, HPE, Aruba, Palo Alto amongst others. Previously working for a service provider. I currently work for an integrator while giving me lots of opportunity to learn. This blog stores some technicals notes I wanted to share.

Leave a Reply

Your email address will not be published. Required fields are marked *