Technical Tip: Comparing the limitations of an FSSO local poller (FSSOD) with an FSSO collector agent
Description
This article explains the limitations that an FSSO local poller has compared to an FSSO collector agent.
Scope
FortiGate installations with FSSO enabled.
Solution
The FSSOD process is responsible for FSSO when the user is not using the agent but the FortiGate polls event logs by itself.
While the local poller for FSSO can be used for this, it has limited functionality compared to having the agent installed within the network. These limitations include:
- No dead entry timer.
- No workstation logoff check.
- No option to track if the user workstation has changed its IP address.
- EventIDs cannot be selected for monitoring.
- No ignore user list.
- NTLM-based authentication is not supported, despite how 'set ntlm enable' is available in the firewall policy.
- If there is a large number of user logins at the same time, the FSSO daemon misses some. Consider using FSSO agent mode if this is an issue.
- The FSSO daemon does not support all of the security log events that are supported by other FSSO scenarios. For example, only Kerberos login events 4768 (required) and 4769 (belongs to 4768) are supported.
Related article:
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode