FortiOS FSSO log messages

FortiOS FSSO log messages

There are two types of FortiOS log messages — firewall and event. FSSO-related log messages are generated from authentication events. These include user logon and log off events, and NTLM authentication events. These log messages are central to network accounting policies, and can also be useful in troubleshooting issues. For more information on firewall logging, see “Enabling security logging”. For more information on logging, see the FortiOS Handbook Log and Reporting guide.

Enabling authentication event logging

For the FortiGate unit to log events, that specific type of event must be enabled under logging.

When VDOMs are enabled certain options may not be available, such as CPU and memory usage events. You can enable event logs only when you are logged on to a VDOM; you cannot enable event logs globally.

To ensure you log all the events need, set the minimum log level to Notification or Information. Firewall logging requires Notification as a minimum. The closer to Debug level, the more information will be logged. While this extra information is useful, you must

To enable event logging:

  1. Go to Log & Report > Log Settings.
  2. In Event Logging, select:
System activity event All system-related events, such as ping server failure and gateway status.
User activity event All administration events, such as user logins, resets, and configuration updates.
  1. Optionally you can enable any or all of the other logging event options.
  2. Select Apply.

Authentication log messages

List of FSSO related log messages

Message ID Severity Description
43008 Notification Authentication was successful
43009 Notification Authentication session failed
43010 Warning Authentication locked out
43011 Notification Authentication timed out
43012 Notification FSSO authentication was successful
43013 Notification FSSO authentication failed
43014 Notification FSSO user logged on
43015 Notification FSSO user logged off
43016 Notification NTLM authentication was successful
43017 Notification NTLM authentication failed

 

Using filters

Logon events are detected by the FSSO CA by monitoring the Security Event logs. Additional logon event filters, such as ServiceName and ServiceID, have been implemented so as to avoid instances of conflicting security events, where existing FSSO logon user information could be overwritten and impact user connectivity.

The problem arises when a scenario such as the following occurs:

Testing

  1. User1 logs on to PC1 on 1.1.1.1, which is logged as a successful Kerberos logon event with an ID of 4769.
  2. The FortiGate creates an authenticated FSSO user log entry for User1/1.1.1.1.
  3. User1 then maps a network drive and uses credentials for User2 to logon to the same PC (PC1).
  4. The FortiGate sees this as a separate logon to PC1 by a new user, User2. As a result, the log entry is updated to User2/1.1.1.1.
  5. If User2 is a member of a different user group to User1 (i.e. has different access permissions), User1 could lose access to their network resources.

The new filter makes the CA ignore the event log created when User1 mapped a network drive, meaning that the original entry for User1 will not be changed.

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.