Tracking rolling historical records of LDAP user logins
Authenticated LDAP users can be tracked by logging the users' group memberships, logon timestamps, and logout timestamps into local files on a log disk over a rolling four-week period. The historical records can be queried from the CLI. This feature is only enabled on FortiGate models with a log disk.
To view active user logged information:
# diagnose user-device-store user-stats query <yyyy-mm-dd> <range_in_days>
Example
In this example, the FortiGate is configured with an explicit web proxy and an LDAP server. When an LDAP user is authenticated by an IP-based authentication method in WAD, the WAD user is considered to be in an active logon status. This WAD user is listed in the diagnose wad user list output. If the user is removed from WAD as an authenticated, such as when the IP-based authentication expires, then the user is considered to become inactive (logout status). The user is no longer listed in the diagnose wad user list output.
The WAD user's group membership information and their logon and logout timestamps are written into local files on the FortiGate's disk. There is one log file for each day, and the FortiGate can maintain up to 28 log files over a rolling period of 28 days (four weeks). This means after 28 days with 28 files stored, on the 29th day, the first file will be removed and a new file will be created for the 29th day.
|
This feature works on other configurations such as firewall authentication, transparent web proxy, ZTNA, and SSL VPN where an LDAP server is used. |
To configure the FortiGate:
- Enable the explicit web proxy on port1:
config system interface edit "port1" set explicit-web-proxy enable set explicit-ftp-proxy enable set snmp-index 3 next end - Configure the LDAP server:
config user ldap edit "ldap-test" set server "172.16.200.98" set cnid "cn" set dn "dc=fortinetqa,dc=local" set type regular set username "CN=root,CN=Users,DC=fortinetqa,DC=local" set password ********** next end - Configure the authentication scheme:
config authentication scheme edit "basic-ldap" set method basic set user-database "ldap-test" next end - Configure the authentication rule:
config authentication rule edit "basic-ldap" set srcaddr "all" set active-auth-method "basic-ldap" set web-portal disable next end - Configure the user group:
config user group edit "ldap-group" set member "ldap" "ldap-test" next end - Configure the proxy policy:
config firewall proxy-policy edit 1 set proxy explicit-web set dstintf "port3" set srcaddr "all" set dstaddr "all" set service "web" set action accept set schedule "always" set groups "ldap-group" set utm-status enable set ssl-ssh-profile "deep-custom" set av-profile "av" next endWhen users pass through the explicit proxy and log in and out through LDAP, their login and logout records will be logged to the disk.
In this example, there are two LDAP users, test1 and test3, with the following activity:
- test3 logs on at 22:30:22 on February 23, 2022, then logs out at 22:31:09 on the same day.
- test1 logs on at 23:55:02 on February 23, 2022, then logs out at 00:05:02 on February 24, 2022.
- test3 logs on at 16:29:44 on February 24, 2022, then logs out at 16:39:44 on the same day.
The logon and logout timestamp information, and the group membership information for users test1 and test3 will be logged into two local files on the log disk.
To view the active user logged information for two days back from February 24, 2022:
# diagnose user-device-store user-stats query 2022-02-24 2
Record #0:
'username' = 'test3'
'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
'logon' = '2022-02-23 22:30:22'
'logout' = '2022-02-23 22:31:09'
Record #1:
'username' = 'test1'
'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
'logon' = '2022-02-23 23:55:02'
Record #2:
'username' = 'test1'
'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
'groupname' = 'CN=mytest-grp,OU=QA,DC=FORTINETQA,DC=local'
'logon' = '2022-02-23 23:55:02'
'logout' = '2022-02-24 00:05:02'
Record #3:
'username' = 'test3'
'groupname' = 'CN=Domain Admins,CN=Users,DC=FORTINETQA,DC=local'
'groupname' = 'CN=FSSO,OU=QA,DC=FORTINETQA,DC=local'
'logon' = '2022-02-24 16:29:44'
'logout' = '2022-02-24 16:39:44'
Returned 4 records.
There is one record (logon) for test1 on 2022-02-23 because they remained active after midnight (until 00:05:02). There is another record for 2022-02-24 with logon and logout timestamps for test1.