Hi Experts,

please can you help me with the SSO agent ?
The agent is installed on each DC in my network and in sync mode.
For the IT department I use a webfilter in my FORTIGATE with SSO.

But for some users I always get messages from my FORTIGATE like this :

Message meets Alert condition
date=2015-09-17 time=09:15:42 devname=WRWOHAB_DKG3_MASTER device_id=FG200B3912611717 log_id=0022000003 type=traffic subtype=violation  pri=warning status=deny vd="root" src= srcname= src_port=52599 dst= dstname= dst_country="United States" src_country="Reserved" dst_port=443 service=443/udp proto=17 app_type=N/A duration=0 rule=79 policyid=79 identidx=79 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" vpn_type=UNKNOWN(65535) vpn_tunnel="N/A" src_int="port14" dst_int="port16" SN=1231517001 app="N/A" app_cat="N/A" user="N/A" group="N/A" msg="N/A" carrier_ep="N/A" profilegroup="N/A" subapp="N/A" subappcat="N/A"  

Open in new window

Please can you explain it in detail ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
the info on "subtype=violation  pri=warning status=deny vd="root" " looks like there is attempt to login via root and using "service=443/udp proto=17 " trigger the "rule=79 policyid=79 " - maybe good to use diagnose debug flow to show traffic hitting this policy id 79...

there is forum talking on FSSO alert too and eventually is the version support (initially they suspect the "group filters") though but it does have some debug steps which may be useful
Eprs_AdminSystem ArchitectAuthor Commented:
this is the strange part : service=443/udp

root means here VDOM:root
btanExec ConsultantCommented:
if you reference the guide in reading the FG log, as per "Log header", and also as you mentioned, vd=(root) is the name of the virtual domain where the action/event occurred in. The key is in the policy for cases the FG does not have any virtual domains exist (or configured), this field always contains root.

For the "Log  Body", the service=(https) refers the IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy. Will have to check the policy per se as it is configured to detect this as well.

Indeed it is strange as typically it should be TCP 443 instead of UDP 443 (which is why it did not state as "https"). I am suspecting some service is transacting using 443 port but it is not adhering to the perceived HTTPS services..

Ref guide -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eprs_AdminSystem ArchitectAuthor Commented:
Ok, I will read the document.
Eprs_AdminSystem ArchitectAuthor Commented:
Thanks I found the error.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.