Fortinet black logo

Administration Guide

RSSO information for authenticated destination users in logs

RSSO information for authenticated destination users in logs

FortiGate can use RSSO accounting information from authenticated RSSO users to populate destination users and groups, along with source users and groups.

RSSO user login information can be forwarded by the RADIUS server to the FortiGate that is listening for incoming RADIUS accounting start messages on the RADIUS accounting port. Accounting start messages usually contain the IP address, user name, and user group information. FortiGate uses this information in traffic logs, which include dstuser and dstgroup fields for user and group destination information .

For instructions on configuring RSSO, see RADIUS single sign-on agent.

The three following scenarios show traffic between pc1 and the internet, and pc1 and pc2.

Scenario 1

In this scenario, RSSO user test2 in group rsso-grp1 is authenticated on pc1. Traffic flows from pc1 to the internet.

Expected result:

In the logs, user test2 is shown as the source user in the rsso-grp1 group.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with test2 as the source.
  2. In the Source section, User is test2 and Group is the rsso-grp1.

  3. The log message shows the user and group:
    10: date=2020-05-25 time=15:34:43 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1590446083718007055 tz="-0700" srcip=10.1.100.188 srcname="win7-2-A.Fortinet-FSSO.COM" srcport=56982 srcintf="port10" srcintfrole="undefined" dstip=172.217.3.195 dstport=443 dstintf="port9" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=120651 proto=17 action="accept" policyid=1 policytype="policy" poluuid="d130f886-9ec6-51ea-206e-8c561c5244c6" policyname="pol1" user="test2" group="rsso-grp1" authserver="vdom1" service="udp/443" trandisp="snat" transip=172.16.200.1 transport=56982 duration=181 sentbyte=2001 rcvdbyte=1820 sentpkt=6 rcvdpkt=4 appcat="unscanned" sentdelta=0 rcvddelta=0 srchwvendor="VMware" osname="Windows" srcswversion="7" mastersrcmac="00:0c:29:44:be:b9" srcmac="00:0c:29:44:be:b9" srcserver=0

Scenario 2

In this scenario, RSSO user test2 is authenticated on pc1. Traffic is initialized on pc2 (172.16.200.185) going to pc1 (10.1.100.188).

Expected result:

In the logs, user test2 is shown as the destination user (dstuser). No destination group (dstgroup) is logged because no RSSO user is logged in on pc2, so the traffic from pc2 is unauthenticated.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with 172.16.200.185 (pc2) as the source.
  2. In the Other section, Destination User is test2 and no destination group is shown.

  3. The log message shows the destination user:
    1: date=2020-05-22 time=07:38:06 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1590158286585506922 tz="-0700" srcip=172.16.200.185 identifier=1 srcintf="port9" srcintfrole="undefined" dstip=10.1.100.188 dstintf="port10" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=4395 proto=1 action="accept" policyid=3 policytype="policy" poluuid="d4f18e1e-9c36-51ea-6ec0-3a354d5910ee" policyname="pol2" dstuser="test2" dstauthserver="root" service="PING" trandisp="snat" transip=10.1.100.1 transport=0 duration=128 sentbyte=7620 rcvdbyte=5220 sentpkt=127 rcvdpkt=87 appcat="unscanned" sentdelta=7620 rcvddelta=5220

Scenario 3

In this scenario, RSSO user test2 in group rsso-grp1 is authenticated on pc1, and user test3 in group rsso-grp2 is authenticated on pc2. Traffic flows from pc2 to pc1.

Expected result:

In the logs, user test3 is shown as the source user in the rsso-grp1 group. User test2 is shown as destination user (dstuser) in the rsso-grp1 destination group (dstgroup). The destination group is logged because an RSSO user is logged in to pc2.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with 172.16.200.185 (pc2) as the source.
  2. In the Source section, User is test3 and Group is the rsso-grp2. In the Other section, Destination User is test2 and Destination Group is rsso-grp1.

  3. The log message shows both the source and the destination users and groups:
    8: date=2020-05-25 time=14:23:07 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1590441786958007914 tz="-0700" srcip=172.16.200.185 srcport=64096 srcintf="port9" srcintfrole="undefined" dstip=10.1.100.188 dstport=80 dstintf="port10" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=112445 proto=6 action="close" policyid=3 policytype="policy" poluuid="5894c368-9eca-51ea-fb4c-ec5a6c1d5043" policyname="pol2" user="test3" group="rsso-grp2" authserver="vdom1" dstuser="test2" dstgroup="rsso-grp1" dstauthserver="vdom1" service="HTTP" trandisp="snat" transip=10.1.100.1 transport=64096 duration=1 sentbyte=328 rcvdbyte=563 sentpkt=6 rcvdpkt=5 appcat="unscanned" dsthwvendor="VMware" dstosname="Windows" dstswversion="7" masterdstmac="00:0c:29:44:be:b9" dstmac="00:0c:29:44:be:b9" dstserver=0

RSSO information for authenticated destination users in logs

FortiGate can use RSSO accounting information from authenticated RSSO users to populate destination users and groups, along with source users and groups.

RSSO user login information can be forwarded by the RADIUS server to the FortiGate that is listening for incoming RADIUS accounting start messages on the RADIUS accounting port. Accounting start messages usually contain the IP address, user name, and user group information. FortiGate uses this information in traffic logs, which include dstuser and dstgroup fields for user and group destination information .

For instructions on configuring RSSO, see RADIUS single sign-on agent.

The three following scenarios show traffic between pc1 and the internet, and pc1 and pc2.

Scenario 1

In this scenario, RSSO user test2 in group rsso-grp1 is authenticated on pc1. Traffic flows from pc1 to the internet.

Expected result:

In the logs, user test2 is shown as the source user in the rsso-grp1 group.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with test2 as the source.
  2. In the Source section, User is test2 and Group is the rsso-grp1.

  3. The log message shows the user and group:
    10: date=2020-05-25 time=15:34:43 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1590446083718007055 tz="-0700" srcip=10.1.100.188 srcname="win7-2-A.Fortinet-FSSO.COM" srcport=56982 srcintf="port10" srcintfrole="undefined" dstip=172.217.3.195 dstport=443 dstintf="port9" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=120651 proto=17 action="accept" policyid=1 policytype="policy" poluuid="d130f886-9ec6-51ea-206e-8c561c5244c6" policyname="pol1" user="test2" group="rsso-grp1" authserver="vdom1" service="udp/443" trandisp="snat" transip=172.16.200.1 transport=56982 duration=181 sentbyte=2001 rcvdbyte=1820 sentpkt=6 rcvdpkt=4 appcat="unscanned" sentdelta=0 rcvddelta=0 srchwvendor="VMware" osname="Windows" srcswversion="7" mastersrcmac="00:0c:29:44:be:b9" srcmac="00:0c:29:44:be:b9" srcserver=0

Scenario 2

In this scenario, RSSO user test2 is authenticated on pc1. Traffic is initialized on pc2 (172.16.200.185) going to pc1 (10.1.100.188).

Expected result:

In the logs, user test2 is shown as the destination user (dstuser). No destination group (dstgroup) is logged because no RSSO user is logged in on pc2, so the traffic from pc2 is unauthenticated.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with 172.16.200.185 (pc2) as the source.
  2. In the Other section, Destination User is test2 and no destination group is shown.

  3. The log message shows the destination user:
    1: date=2020-05-22 time=07:38:06 logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1590158286585506922 tz="-0700" srcip=172.16.200.185 identifier=1 srcintf="port9" srcintfrole="undefined" dstip=10.1.100.188 dstintf="port10" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=4395 proto=1 action="accept" policyid=3 policytype="policy" poluuid="d4f18e1e-9c36-51ea-6ec0-3a354d5910ee" policyname="pol2" dstuser="test2" dstauthserver="root" service="PING" trandisp="snat" transip=10.1.100.1 transport=0 duration=128 sentbyte=7620 rcvdbyte=5220 sentpkt=127 rcvdpkt=87 appcat="unscanned" sentdelta=7620 rcvddelta=5220

Scenario 3

In this scenario, RSSO user test2 in group rsso-grp1 is authenticated on pc1, and user test3 in group rsso-grp2 is authenticated on pc2. Traffic flows from pc2 to pc1.

Expected result:

In the logs, user test3 is shown as the source user in the rsso-grp1 group. User test2 is shown as destination user (dstuser) in the rsso-grp1 destination group (dstgroup). The destination group is logged because an RSSO user is logged in to pc2.

To verify the results:
  1. In the GUI, go to Log & Report > Forward Traffic and view the details of an entry with 172.16.200.185 (pc2) as the source.
  2. In the Source section, User is test3 and Group is the rsso-grp2. In the Other section, Destination User is test2 and Destination Group is rsso-grp1.

  3. The log message shows both the source and the destination users and groups:
    8: date=2020-05-25 time=14:23:07 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1590441786958007914 tz="-0700" srcip=172.16.200.185 srcport=64096 srcintf="port9" srcintfrole="undefined" dstip=10.1.100.188 dstport=80 dstintf="port10" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=112445 proto=6 action="close" policyid=3 policytype="policy" poluuid="5894c368-9eca-51ea-fb4c-ec5a6c1d5043" policyname="pol2" user="test3" group="rsso-grp2" authserver="vdom1" dstuser="test2" dstgroup="rsso-grp1" dstauthserver="vdom1" service="HTTP" trandisp="snat" transip=10.1.100.1 transport=64096 duration=1 sentbyte=328 rcvdbyte=563 sentpkt=6 rcvdpkt=5 appcat="unscanned" dsthwvendor="VMware" dstosname="Windows" dstswversion="7" masterdstmac="00:0c:29:44:be:b9" dstmac="00:0c:29:44:be:b9" dstserver=0