Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
bmeta
Staff
Staff

Created on ‎04-01-2015 10:16 AM Edited on ‎11-24-2024 11:32 PM By Moderator

Article Id 189910

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Description

 

This article discusses Windows event IDs used by FSSO in WinSec polling mode.

 

Scope

 

FortiAuthenticator.

 

Solution

 

  1. FSSO Collector Agent with Windows Security Event Log polling mode supports the following Windows Event IDs:
  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4776, 4624, 4770 **.
  • Windows 2003 Event IDs: 672, 673*, 680, 528, 540 **.

* Some Event IDs are not supported alone and they required another event to correlate the login information.

For example:

 

  • Event 4769 requires 4768.
  • Event 673 requires 672.

** By default the Collector Agent is using a subset of events. Which event IDs are monitored is configurable with 'Windows Security Event ID to poll' under Advanced settings:

 

  • 0 - polls: 672, 680, 4768, 4776 - this is the default subset.
  • 1 - polls: 672, 673, 680, 4768, 4769, 4776.
  • 2 - polls: 672, 673, 680, 4768, 4769, 4776, 4624 (EventID 4624 was added to default polling in Windows 2016 for better support of MacOS and newer Windows server platforms).
  • <EventID1;EventID2;...;EventIDn> - polls info from specific Event ID or IDs. e.g 4768;4769;4624.

 

FSSO1.png

 

FSSO_Poll_ID.png

 

     2. FortiGate (FGT) has an integrated poller as well. Its local polling mode also uses the Windows Security Event logs, however, currently the supported event subset is smaller.

 

  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769, 4776.
  • Windows 2003 Event IDs: 672, 673.

 

Hint: 
If the FortiGate poller debug log shows 'no domain from <IP>' then 'default-domain' should be set in the 'config user fsso-polling' configuration to avoid this failure.

 

     3. FortiAuthenticator supports the following event IDs:

 

  • Windows 2008/2012/2016/2019 Event IDs: 4768, 4769*, 4624*, 4770*, 4776.
  • Windows 2003 Event IDs: 672, 673*, 674*, 680, 528*, 540*.

* Support for these events is available by enabling under the Fortinet Single Sign-On (FSSO) section -> SSO -> General -> Enable Windows event log polling (e.g. domain controllers/Exchange servers) [Configure Events].

 

Note that if there is no Event in the Windows Security Event log, FSSO cannot pick the users/machines up either.
If the events IDs are not generated likely an auditing group policy is prohibiting this.

Related Articles:

 

Technical Tip: FSSO local poller (FSSOD) limitations compared to FSSO collector agent.

Technical Tip: FSSO choose between DC Agent mode or Polling mode

Technical Tip: Downloading FSSO agent software

Technical Tip: How to validate MD5 checksum hash for FSSO installer

Technical Tip: How to install FSSO Collector Agent

Technical Tip: Comparison between DC-Agent mode and polling mode

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets

70809
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.