SSO event logs
Hi,
I have a 2 servers running the Authentication gateway. They are both behind a M370 firefox where i have multiple remote firefoxes connected to the M370 firebox with vpn.
All remote subnets has clients with the SSO client and this is working.
I am trying to understand why i see remote user SSO authentication logs on remote firebox devices where the login user is not physical located.
Exampel: On my firebox at home with subnet 192.168.6.0/24 i see AD user USERNAME authenticated:
2021-07-30 09:43:51 sessiond Firewall user USERNAME from 172.17.18.16 logged in msg_id="3E00-0002" Event
Looking at the FSM authentication list on my local firewall, i see a lot of authenticated users which is logged in from other fysical places, but only some users, not all, compared to the authentication list on the M370 firewall.
How do SSO authentication work between sites connected with vpn?
The fireboxes is running a mix of 12.7.1U1 and 12.5.7U3. All SSO is running 12.7.
Bwt., i have opened a support case. However the first reply I got, was a bit odd, so in the mean time, i ask here, i anybody should have a qualified answer.
Can you please install an SSO Agent in your local network and configure T35 to use this local SSO Agent. After that check, if you are still seeing users from other networks.
As i cannot be the first customer with this type of SSO setup, i would believe support should have a better answer - or do some tests internal instead of asking me.
/Robert
Comments
SSO between firewalls will only occur if the option to attempt to authenticate users across tunnels is enabled, and an event log monitor is set up. If those conditions are met, the firewall will attempt to identify users only if they try to access a resource. (this means idling users not accessing anything across the tunnel will never show up.)
-James Carson
WatchGuard Customer Support
@James_Carson
Thank you. I am in contact with Ulf Schroeder regarding this issue as we cannot fint anything indicating there should be traffic from these clients.
@James_Carson
We found out why.
FBX-14597 SSO Agent should support multiple Fireboxes
The SSO Agent does NOT support multiple Fireboxes which means that all Authentication events are sent out to ALL attached Fireboxes since the SSO agent does not care who asked what.