FSSO agent ip exclusion

Forum|Forum|7 years ago
August 27, 2018
1 reply
13785 views

Is there a way to exclude certain IP addresses from collecting authenticated users ?

xsilver_FTNT

Staff

Hi,

dieter wrote:
Is there a way to exclude certain IP addresses from collecting authenticated users ?

yes

If your Collector is getting updates from some sources and you do not want those sources to collect authenticated users, then options are:

1. if in DCAgent mode simply uninstall agent from those DCs when you do not want auth info from

2. if in polling mode then remove DC from polled controllers

3. list of polled DCs is in "dc_list"="" key

4. list of connected/known DCAgents is on the end of exported config from Collector

5. you can ignore updates from certain DC via "dc_agent_ignore_ip_list"="" key

6. all the keys are in [HKEY_LOCAL_MACHINE\software\fortinet\fsae] sub-tree ..

dieterAuthor

New Member

dc_agent_ignore_ip_list seems to be an undocumented feature. But it seems to work.

Thank you

dieterAuthor

New Member

Curious: In the Firewall User monitor I don't see users associated to the excluded IP addresses.

In Forward traffic log however, some traffic from those IP's have a user associated...

In User even log, I see FSSO logon/logoff events on the excluded IP's. Log off event for most users us about 3 seconds after logon event. Probably enough to have some traffic related to a user...

On 5.6.2 by the way.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded