Staff

Technical Tip: FSSO Collector Agent Events And Windows Machine Status Change

Description

This article provides details of what FSSO collector agent events are expected when the status of an LDAP-connected Windows client machine changes.

Scope

FortiGate.

Solution

When a Windows client machine is domain joined, and its machine status changes, the domain controller does not always generate a logon event.

The FSSO collector agent collects user logon events from domain controllers and forwards this information to FortiGate.

Refer to the table below for the type of domain controller security event and CA event generated when the machine status changes.

Status Change	Authentication Method	Domain Controller Security Event	Collector Agent Event
Sleep -> Out of sleep.	Local cache.	None.	None.
Hibernate -> Out of hibernate.	Local cache.	None.	None.
Lock -> Unlock.	Active Directory.	Logon.	Logon.
Sign out -> Sign in.	Active Directory.	Logon .	Logon.
Shutdown -> Sign in.	Active Directory.	Logon.	Logon.
RDP to another machine (Non-RDS server).	Active Directory.	Logon.	Override (RDP client username is passed to the server).

Sign up