FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Article Id 252651
Description

 

This article describes the two operational modes for Fortinet Single Sign On Collector Agent (FSSO-CA).

 

Scope

 

FSSO Collector Agent.

 

Solution

 

Fortinet Single Sign-On Collector Agent (FSSO-CA):

 

jdelafuente_FTNT_0-1681715710949.jpeg

 

FSSO-CA is a software developed by Fortinet Inc. That fulfills the function of a collector agent for domain logon events, it can be installed on a DC or on any other server that belongs to the domain to work with.

FSSO-CA can work in two operation modes 'DC Agent' or 'Polling';

 

DC Agent mode.

  • In this mode, the Windows DC server collects its own login information and sends it to the collector agents.
  • It is the recommended mode for FSSO due to scalability.
  • Requires one DC Agent (installed in C:\Windows\System32\dcagent.dll) on each Windows DC.
  • Windows DC Server must reboot after DC Agent installation.

 

jdelafuente_FTNT_1-1681715710560.jpeg

 

Workflow.

  1. The user authenticates against the Windows DC.
  2. The DC agent sees the login event and forwards it to the collector agent.
  3. The collector agent receives the event from the DC Agent and forwards it to FortiGate.
  4. FortiGate knows the user based on their IP address. 

 

To select this work mode, open FSSO-CA as administrator, Select Show Monitored DCs -> Select DC to Monitor... and select DC Agent Mode. (this work mode may require a server reboot for the first time).

 

FSSO-DC_agent.png

 

Polling Mode.

  • In this mode: The collector agent 'polls' for logon events to each Windows DC.
  • No DC_agent is required on the Domain Controller server.
  • Every few seconds, the Collector Agent polls each DC for user login events, it requires ports: SMB (TCP/445) as main and [TCP/135, TCP/139, and UCP/137] as fallback.
  • This mode requires a less complex installation.
  • Polling mode can be configured in three ways:

 

Polling Method Main features Some issues
NetAPI

Polls the NetSessionEnum function every 9 seconds or less.

Retrieves login sessions including DC login events.

Faster but, if DC has a heavy system load some login events can be missed.
WinSecLog

Polls all security events on DC every 10 seconds or more

Only parses known event IDs by collector agent. (poller ID)

Log latency if the network is large or the system is slow.

Requires fast network links.

Some workstation names may be lost.

 

WMI

DC returns all requested login events every 3 seconds.

Improves WinSec bandwidth usage.

Some workstation names may be lost.

 

jdelafuente_FTNT_3-1681715710941.jpeg

 

Workflow.

  1. The user authenticates with DC.
  2. The Collector Agent frequently polls the DC to collect user login events.
  3. The Collector Agent forwards logins to FortiGate.

To select this work mode, open FSSO-CA as administrator, select Show Monitored DCs -> Select DC to Monitor... and select Polling Mode.

 

FSSO-Polling.png

Related articles:

  • Installation and configuration basics:

Technical Tip: Downloading FSSO agent software

Technical Tip: Configure FSSO in DC Agent mode

Technical Tip: FSSO Agent in polling mode

 

  • Troubleshooting and common issues:

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode

Technical Tip: FSSO Group Filter configured on Collector Agent

Technical Tip: Restricting a Fortinet Single Sign On Agent Service (FSSO) service account

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets