Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
arleniscg
Staff
Staff

Created on ‎03-11-2025 11:23 PM Edited on ‎06-27-2025 07:00 AM By Community Manager

Article Id 381468

Troubleshooting Tip: FortiEDR on AD working as FSSO Collector Agent/DC Ae causes the number of login users not to increase

Description

This article describes the troubleshooting steps if, after installing FortiEDR on an Active Directory server, also working as a FSSO Collector Agent/DC Agent for SSO authentication with FortiGate, on the collector if FortiEDR is running, the number of logon users does not increase. 
Scope FortiEDR, FortiGate.
Solution
  • FortiEDR is running on the server of the FSSO Collector Agent.
  1. Create an exclusion on the EDR manager for the AD Collector Agent Server path:

 

EDR.png

 

Path to exclude on EDR Manager: \Program Files\Fortinet\FSAE\*.

 

  1. Validate AD Collector Agent Server is right to configured: 
  • The FSSO user has the required privileges under this account. 

 

permisos.png

  • If the Collector working in DC Mode validates Advanced Settings -> Event IDs to poll=2.

 

EDR 02.png

 

  • Validate that all DC agent servers are enabled to send logs to this affected Collector Agent Server.  

 

EDR 01.png

  1. If it is still present, change FortiEDR Collector to work with TDI: 
  • Stop the collector service. Execute the following command in the CLI:

 

"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --stop -rp:<pasword>

 

  • Run Notepad as an administrator and open C:\ProgramData\FortiEDR\Config\Collector\CollectorBootstrap.jsn.
  • Search for 'NetworkMonitoringMode' and modify it as 'NetworkMonitoringMode":"TDI'.
  • Save the file.
  • Start the Collector Service. Execute the following command in the CLI:

"C:\Program Files\Fortinet\FortiEDR\FortiEDRCollectorService.exe" --start

 

  • Restart the device.

 

  1. Monitor the number of log-on users on the AD Collector agent server. If the problem is still present, open a case with the Fortinet TAC Team

 

  • FortiEDR is running on the server of the FSSO DC Agent.

Since the DC Agent installer installs a DLL in the system32 folder, a DLL which is called by the system process named lsass.exe, excluding the \Program Files\Fortinet\FSAE\* path on EDR Manager will not make a difference in this case.

 

For this situation, there are two options:

  1. Perform the same steps as described before:

 

Stop the collector service.

  • Run Notepad as an administrator and open C:\ProgramData\FortiEDR\Config\Collector\CollectorBootstrap.jsn.
  • Search for 'NetworkMonitoringMode' and modify it as 'NetworkMonitoringMode":"TDI'.
  • Save the file.
  • Start  Collector Service.
  • Restart the device.

 

  1. Configure the DC Agent for using SSL Mode (TCP port 8003).

 

Related articles:
61580
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.