FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
With agent-based polling mode, there are two methods for getting logon information:

.Security Event  Log (WinSecLog):
Polls the security events on the DC.  It does not miss any logon events because events are not normally deleted from the logs.  But there can be some delay in the FortiGate receiving these events if the network is large and therefore writing to the log is slow.

Calls the 'netsessionenum' function on Windows systems.  This is faster than the other method because it is reading a table in RAM.  However, the other effect is that it can sometimes miss logon events if a DC is under heavy system load.  This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify the FortiGate.