SSO event logs


I have a 2 servers running the Authentication gateway. They are both behind a M370 firefox where i have multiple remote firefoxes connected to the M370 firebox with vpn.

All remote subnets has clients with the SSO client and this is working.

I am trying to understand why i see remote user SSO authentication logs on remote firebox devices where the login user is not physical located.

Exampel: On my firebox at home with subnet i see AD user USERNAME authenticated:
2021-07-30 09:43:51 sessiond Firewall user USERNAME from logged in msg_id="3E00-0002" Event

Looking at the FSM authentication list on my local firewall, i see a lot of authenticated users which is logged in from other fysical places, but only some users, not all, compared to the authentication list on the M370 firewall.

How do SSO authentication work between sites connected with vpn?

The fireboxes is running a mix of 12.7.1U1 and 12.5.7U3. All SSO is running 12.7.

Bwt., i have opened a support case. However the first reply I got, was a bit odd, so in the mean time, i ask here, i anybody should have a qualified answer.
Can you please install an SSO Agent in your local network and configure T35 to use this local SSO Agent. After that check, if you are still seeing users from other networks.

As i cannot be the first customer with this type of SSO setup, i would believe support should have a better answer - or do some tests internal instead of asking me.



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    SSO between firewalls will only occur if the option to attempt to authenticate users across tunnels is enabled, and an event log monitor is set up. If those conditions are met, the firewall will attempt to identify users only if they try to access a resource. (this means idling users not accessing anything across the tunnel will never show up.)

    -James Carson
    WatchGuard Customer Support

  • Options


    Thank you. I am in contact with Ulf Schroeder regarding this issue as we cannot fint anything indicating there should be traffic from these clients.

  • Options


    We found out why.

    FBX-14597 SSO Agent should support multiple Fireboxes

    The SSO Agent does NOT support multiple Fireboxes which means that all Authentication events are sent out to ALL attached Fireboxes since the SSO agent does not care who asked what.

Sign In to comment.