In this post, I will write about an issue I was facing off during a Fortigate Firewall migration.

Customer had already FSSO “working” (in fact not) and we had to replace old fortigate in 5.2 version to new one in 6.0 version. Not a big deal but FSSO was not working. Connexion between agent was down, and connexion between FGT and collector was down too.

FSSO is used to transparently authenticate user and allow thm to access some network ressources through firewall policy rules.

First problem was between agent and collector. Technical support assisted us about that. In fact it was just that the account used between collector and agent must be an administrator. It is writed during the installation, but you can miss the point. In Collector logfile, you have something like this :

10/04/2019 03:42:32 [ 3476] ad_user_get_groups error:

If you want to go further about the right privileges you have to provide for this account, go here.

For the second issue, Fortigate was not able to connect to the collector. Collector logfile indicates :

10/09/2019 14:47:11 [  828] Connection to FGT on socket (5476) closed. return code:-1 last error:10054

10/09/2019 14:47:12 [  828] FortiGate:10.119.52.250 on socket (5476) disconnected

It was the passphrase between Fortigate and Collector that cause the problem. It seems it don’t like the @ or !. We changed the password and all was working fine.

You have also to check the opened port between fortigate and collector, then between collector and agent (8000 and 8002). In my case, Wireshark told us there was no problem at all for this point.