Fortinet black logo

New Features

Tracking rolling historical records of LDAP user logins

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:245331
Download PDF

Tracking rolling historical records of LDAP user logins

Authenticated LDAP users can be tracked by logging the users' group memberships, logon timestamps, and logout timestamps into local files on a log disk over a rolling four-week period. The historical records can be queried from the CLI. This feature is only enabled on FortiGate models with a log disk.

To view active user logged information:
# diagnose user-device-store user-stats query <yyyy-mm-dd> <range_in_days>

Example

In this example, the FortiGate is configured with an explicit web proxy and an LDAP server. When an LDAP user is authenticated by an IP-based authentication method in WAD, the WAD user is considered to be in an active logon status. This WAD user is listed in the diagnose wad user list output. If the user is removed from WAD as an authenticated, such as when the IP-based authentication expires, then the user is considered to become inactive (logout status). The user is no longer listed in the diagnose wad user list output.

The WAD user's group membership information and their logon and logout timestamps are written into local files on the FortiGate's disk. There is one log file for each day, and the FortiGate can maintain up to 28 log files over a rolling period of 28 days (four weeks). This means after 28 days with 28 files stored, on the 29th day, the first file will be removed and a new file will be created for the 29th day.

Note

This feature works on other configurations such as firewall authentication, transparent web proxy, ZTNA, and SSL VPN where an LDAP server is used.

To configure the FortiGate:
  1. Enable the explicit web proxy on port1:
    config system interface
        edit "port1"
            set explicit-web-proxy enable
            set explicit-ftp-proxy enable
            set snmp-index 3
        next
    end
  2. Configure the LDAP server:
    config user ldap
        edit "ldap-test"
            set server "172.16.200.98"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password **********
        next
    end
  3. Configure the authentication scheme:
    config authentication scheme
        edit "basic-ldap"
            set method basic
            set user-database "ldap-test"
        next
    end
  4. Configure the authentication rule:
    config authentication rule
        edit "basic-ldap"
            set srcaddr "all"
            set active-auth-method "basic-ldap"
            set web-portal disable
        next
    end
  5. Configure the user group:
    config user group
        edit "ldap-group"
            set member "ldap" "ldap-test"
        next
    end
  6. Configure the proxy policy:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set groups "ldap-group"
            set utm-status enable
            set ssl-ssh-profile "deep-custom"
            set av-profile "av"
        next
    end

    When users pass through the explicit proxy and log in and out through LDAP, their login and logout records will be logged to the disk.

In this example, there are two LDAP users, test1 and test3, with the following activity:

  1. test3 logs on at 22:30:22 on February 23, 2022, then logs out at 22:31:09 on the same day.
  2. test1 logs on at 23:55:02 on February 23, 2022, then logs out at 00:05:02 on February 24, 2022.
  3. test3 logs on at 16:29:44 on February 24, 2022, then logs out at 16:39:44 on the same day.

The logon and logout timestamp information, and the group membership information for users test1 and test3 will be logged into two local files on the log disk.

To view the active user logged information for two days back from February 24, 2022:
# diagnose user-device-store user-stats query 2022-02-24 2

Record #0:
        'username' = 'test3'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 22:30:22'
        'logout' = '2022-02-23 22:31:09'

Record #1:
        'username' = 'test1'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 23:55:02'

Record #2:
        'username' = 'test1'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 23:55:02'
        'logout' = '2022-02-24 00:05:02'

Record #3:
        'username' = 'test3'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-24 16:29:44'
        'logout' = '2022-02-24 16:39:44'

Returned 4 records.

There is one record (logon) for test1 on 2022-02-23 because they remained active after midnight (until 00:05:02). There is another record for 2022-02-24 with logon and logout timestamps for test1.

Tracking rolling historical records of LDAP user logins

Authenticated LDAP users can be tracked by logging the users' group memberships, logon timestamps, and logout timestamps into local files on a log disk over a rolling four-week period. The historical records can be queried from the CLI. This feature is only enabled on FortiGate models with a log disk.

To view active user logged information:
# diagnose user-device-store user-stats query <yyyy-mm-dd> <range_in_days>

Example

In this example, the FortiGate is configured with an explicit web proxy and an LDAP server. When an LDAP user is authenticated by an IP-based authentication method in WAD, the WAD user is considered to be in an active logon status. This WAD user is listed in the diagnose wad user list output. If the user is removed from WAD as an authenticated, such as when the IP-based authentication expires, then the user is considered to become inactive (logout status). The user is no longer listed in the diagnose wad user list output.

The WAD user's group membership information and their logon and logout timestamps are written into local files on the FortiGate's disk. There is one log file for each day, and the FortiGate can maintain up to 28 log files over a rolling period of 28 days (four weeks). This means after 28 days with 28 files stored, on the 29th day, the first file will be removed and a new file will be created for the 29th day.

Note

This feature works on other configurations such as firewall authentication, transparent web proxy, ZTNA, and SSL VPN where an LDAP server is used.

To configure the FortiGate:
  1. Enable the explicit web proxy on port1:
    config system interface
        edit "port1"
            set explicit-web-proxy enable
            set explicit-ftp-proxy enable
            set snmp-index 3
        next
    end
  2. Configure the LDAP server:
    config user ldap
        edit "ldap-test"
            set server "172.16.200.98"
            set cnid "cn"
            set dn "dc=fortinetqa,dc=local"
            set type regular
            set username "CN=root,CN=Users,DC=fortinetqa,DC=local"
            set password **********
        next
    end
  3. Configure the authentication scheme:
    config authentication scheme
        edit "basic-ldap"
            set method basic
            set user-database "ldap-test"
        next
    end
  4. Configure the authentication rule:
    config authentication rule
        edit "basic-ldap"
            set srcaddr "all"
            set active-auth-method "basic-ldap"
            set web-portal disable
        next
    end
  5. Configure the user group:
    config user group
        edit "ldap-group"
            set member "ldap" "ldap-test"
        next
    end
  6. Configure the proxy policy:
    config firewall proxy-policy
        edit 1
            set proxy explicit-web
            set dstintf "port3"
            set srcaddr "all"
            set dstaddr "all"
            set service "web"
            set action accept
            set schedule "always"
            set groups "ldap-group"
            set utm-status enable
            set ssl-ssh-profile "deep-custom"
            set av-profile "av"
        next
    end

    When users pass through the explicit proxy and log in and out through LDAP, their login and logout records will be logged to the disk.

In this example, there are two LDAP users, test1 and test3, with the following activity:

  1. test3 logs on at 22:30:22 on February 23, 2022, then logs out at 22:31:09 on the same day.
  2. test1 logs on at 23:55:02 on February 23, 2022, then logs out at 00:05:02 on February 24, 2022.
  3. test3 logs on at 16:29:44 on February 24, 2022, then logs out at 16:39:44 on the same day.

The logon and logout timestamp information, and the group membership information for users test1 and test3 will be logged into two local files on the log disk.

To view the active user logged information for two days back from February 24, 2022:
# diagnose user-device-store user-stats query 2022-02-24 2

Record #0:
        'username' = 'test3'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 22:30:22'
        'logout' = '2022-02-23 22:31:09'

Record #1:
        'username' = 'test1'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 23:55:02'

Record #2:
        'username' = 'test1'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-23 23:55:02'
        'logout' = '2022-02-24 00:05:02'

Record #3:
        'username' = 'test3'
        'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
        'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
        'logon' = '2022-02-24 16:29:44'
        'logout' = '2022-02-24 16:39:44'

Returned 4 records.

There is one record (logon) for test1 on 2022-02-23 because they remained active after midnight (until 00:05:02). There is another record for 2022-02-24 with logon and logout timestamps for test1.