Description
This article provides an explanation each of the FSSO timers and what values are acceptable.
Scope
FSSO, FSAE, timers, Collector Agent
Solution
Workstation verify interval (minutes):
Microsoft Windows does not provide reliable logoff event monitoring tools.
In order to verify that a user is still logged on to the same station, the Collector agent needs to connect to each authenticated station and verify that.
The default timer value is every 5 minutes.
To work properly ports tcp/139 and tcp/445 need to be available on stations together with Remote Registry service.
To disable this check set the value to 0.
Take into account that station verification process works in batches.
To disable this check set the value to 0.
Take into account that station verification process works in batches.
This means the Collector agent should finish a previous verification job before it will activate this timer.
The actual verification time may vary greatly from the configured 5 minutes.
Setting it to a lower value is not advisable as it will not force it to check all users every minute, but will force it to wait between batched 1 minute instead of 5.
If this check is disabled, then an entry times out as per Dead entry timeout interval.
If this check is disabled, then an entry times out as per Dead entry timeout interval.
After that the user will need to logon again.
If Collector Agent cannot contact station it will change user status to UNKNOWN but it will not invalidate user permissions until 'Dead entry timeout interval' will be met or until new logon event will not be detected from the same IP address.
If Collector Agent cannot contact station it will change user status to UNKNOWN but it will not invalidate user permissions until 'Dead entry timeout interval' will be met or until new logon event will not be detected from the same IP address.
Dead entry timeout interval (minutes):
This timer defines the period after which the system will purge logon information if it cannot verify user status.
The default is 480 minutes (8 hours).
Dead entries usually occur because the computer is unreachable (in standby mode or disconnected, for example) but the user has not logged off.
Disable Dead entry timeout by settings it to 0.
Disable Dead entry timeout by settings it to 0.
When it is disabled, the user will stay with 'logged in' status forever. However, a new logon event (either from the same user or a different user) from the same workstation will overwrite/refresh the record.
This is not recommended to disable this timer if there is a chance that guest(s) or restricted user will have access to allowed workstation(s).
This is not recommended to disable this timer if there is a chance that guest(s) or restricted user will have access to allowed workstation(s).
IP address change verify interval (seconds):
FSSO periodically checks the IP addresses of logged-in users and updates the FortiGate unit when user IP addresses change.
This timer is especially important in DHCP environments or dynamic environments when mobile users may change their IP address as they move from one location (floor) to another together with their laptop (mobile device).
FSSO relies heavily on DNS for IP resolves.
Make sure to allow dynamic updates and configured DHCP server to update DNS whenever client IP address change.
IP address verification prevents users from being locked out if they change IP addresses.
Enter 0 to disable IP address checking if static IP addresses are used.
By default the Collector agent verifies every 60 seconds that IP is the same.
User/Groups cache expiration interval (minutes):
This timer was introduced in latest FSSO builds as part of new Group caching feature (from build 042).
When this feature is enabled, this will cache the user group membership for a defined period of time.
FSSO will 'remember' user group membership information until expired and will not updated it even if the change group membership is changed in AD.
Select Clear Group Cache to purge cached group membership information or disable this feature at all (it is beneficial only in big enterprise environments with thousand of users).
Select Clear Group Cache to purge cached group membership information or disable this feature at all (it is beneficial only in big enterprise environments with thousand of users).
Example:
With the default setting of every 5 minutes, the Collector agent will:
With the default setting of every 5 minutes, the Collector agent will:
- Perform an IP address lookup to get the correct IP address, also detect whether IP addresses have been changed.
- Check whether it can connect to port 139 or 445 of the remote machine. If not, set status to UNKNOWN, go to step 5.
- Try to open the registry of the remote machine. If failed, set status to UNKNOWN, and go to step 5.
- Check whether the user's registry hive still exists under HKEY_USERS. If still exists, set status to USER_LOGON. If not, set status to USER_LOGOFF.
- If the status is:
- Check whether it can connect to port 139 or 445 of the remote machine. If not, set status to UNKNOWN, go to step 5.
- Try to open the registry of the remote machine. If failed, set status to UNKNOWN, and go to step 5.
- Check whether the user's registry hive still exists under HKEY_USERS. If still exists, set status to USER_LOGON. If not, set status to USER_LOGOFF.
- If the status is:
- UNKNOWN, do nothing (the entry will be removed in 8 hours).
- USER_LOGOFF, the entry will be removed right away and FortiGate will be informed.
- USER_LOGON if:
- USER_LOGOFF, the entry will be removed right away and FortiGate will be informed.
- USER_LOGON if:
- IP didn't change, the entry will be kept.
- IP changed, need to update FortiGate with new IP address.
