Description
This article explains each of the FSSO timers and what values are acceptable.
Scope
FSSO, FSAE, timers, Collector Agent.
Solution
Workstation verify interval (minutes):
Microsoft Windows does not provide reliable logoff event monitoring tools.
To verify that a user is still logged on to the same station, the Collector agent needs to connect to each authenticated station and verify that.
The default timer value is every 5 minutes.
To work properly ports tcp/139 and tcp/445 need to be available on stations together with Remote Registry service.
To disable this check set the value to 0.
Take into account that the station verification process works in batches.
This means the Collector agent should finish a previous verification job before it will activate this timer.
The actual verification time may vary greatly from the configured 5 minutes.
Setting it to a lower value is not advisable as it will not force it to check all users every minute, but will force it to wait between batched 1 minute instead of 5.
If this check is disabled, then an entry times out as per the Dead entry timeout interval.
After that, the user will need to login again.
If the Collector Agent cannot contact the station it will change user status to UNKNOWN but it will not invalidate user permissions until the 'Dead entry timeout interval' is met or until a new logon event will not be detected from the same IP address.
Dead entry timeout interval (minutes):
This timer defines the period after which the system will purge login information if it cannot verify user status.
The default is 480 minutes (8 hours).
Dead entries usually occur because the computer is unreachable (in standby mode or disconnected, for example) but the user has not logged off.
Disable the Dead entry timeout by setting it to 0.
When it is disabled, the user will stay with the 'logged in' status forever. However, a new logon event (either from the same user or a different user) from the same workstation will overwrite/refresh the record.
This is not recommended to disable this timer if there is a chance that guest(s) or restricted users will have access to the allowed workstation(s).
IP address change verify interval (seconds):
FSSO periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change.
This timer is especially important in DHCP environments or dynamic environments when mobile users may change their IP address as they move from one location (floor) to another together with their laptop (mobile device).
FSSO relies heavily on DNS for IP resolves.
Make sure to allow dynamic updates and configure the DHCP server to update DNS whenever the user's IP address changes.
IP address verification prevents users from being locked out if they change IP addresses.
Enter 0 to disable IP address checking if static IP addresses are used.
By default, the Collector agent verifies every 60 seconds that IP is the same.
User/Groups cache expiration interval (minutes):
This timer was introduced in latest FSSO builds as part of new Group caching feature (from build 042).
When this feature is enabled, this will cache the user group membership for a defined period of time.
FSSO will 'remember' user group membership information until expired and will not updated it even if the change group membership is changed in AD.
Select Clear Group Cache to purge cached group membership information or disable this feature at all (it is beneficial only in big enterprise environments with thousand of users).
Example:
With the default setting of every 5 minutes, the Collector agent will:
- Perform an IP address lookup to get the correct IP address, and also detect whether IP addresses have been changed.
- Check whether it can connect to port 139 or 445 of the remote machine. If not, set status to UNKNOWN, go to step 5.
- Try to open the registry of the remote machine. If failed, set the status to UNKNOWN, and go to step 5.
- Check whether the user's registry hive still exists under HKEY_USERS. If still exists, set the status to USER_LOGON. If not, set the status to USER_LOGOFF.
- If the status is:
- UNKNOWN, do nothing (the entry will be removed in 8 hours).
- USER_LOGOFF, the entry will be removed right away and FortiGate will be informed.
- USER_LOGON if:
- IP did not change, the entry will be kept.
- IP changed, it needs to update FortiGate with a new IP address.
Note:
Both, FortiGate and Active Directory must be in time synchronization which means that they have to point to the same NTP Server.
If there is more than 5 min of difference, the FortiGate will not get the user information.