This article describes the scenario where the IP address of the FSSO login user is being overridden by a new FSSO login IP with the same IP address.
Scope
FSSO, FortiGate.
Solution
Below is an example of an FSSO user IP address entry kept being overridden by a new user login:
This is due to the same IP address when it is retrieved from the AD Server. The debug logs shows the IP address that it is getting from the AD for tested users:
[fsso_ldap_group_add:327] logon: 10.152.3.1, thor/SECUREX.COM, , add group CN=Domain Users,CN=Users,DC=securex,DC=com fsso_ldap_group_add:327] logon: 10.152.3.1, loki/SECUREX, , add group CN=Domain Users,CN=Users,DC=securex,DC=com
It matches with the logon event from the AD Server:
FortiGate will retrieve the IP based on what is being sent by AD Server. One potential reason is that a Layer 3 device is source natting the user’s traffic towards the AD server. Hence, the AD server captured the IP representing the user in logon events.
In this scenario, FortiGate is the source natting the user’s IP address. The solution is to turn off the NAT in the firewall policy for the traffic between the user and the AD server:
config firewall policy edit <x> set name "user to AD" set srcintf "port4" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "AD-Server" .. set nat enable <----- Disabled the NAT. next end
Once the NAT is disabled, the users will appear in the FSSO Logons with the correct IP address:
