Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcapecchi
Staff
Staff

Created on ‎09-22-2015 08:11 AM

Article Id 189817

Technical Note: Agent-based polling mode methods

Description
With agent-based polling mode, there are two methods for getting logon information:

.Security Event  Log (WinSecLog):
Polls the security events on the DC.  It does not miss any logon events because events are not normally deleted from the logs.  But there can be some delay in the FortiGate receiving these events if the network is large and therefore writing to the log is slow.

NetAPI:
Calls the 'netsessionenum' function on Windows systems.  This is faster than the other method because it is reading a table in RAM.  However, the other effect is that it can sometimes miss logon events if a DC is under heavy system load.  This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify the FortiGate.    

Labels:
1759
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.