FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jdelafuente_FTNT
Article Id 252651
Description

 

This article describes the two operational modes for Fortinet Single Sign On Collector Agent (FSSO-CA).

 

Scope

 

FSSO Collector Agent.

 

Solution

 

Fortinet Single Sign-On Collector Agent (FSSO-CA):

 

jdelafuente_FTNT_0-1681715710949.jpeg

 

FSSO-CA is a software developed by Fortinet Inc. Which fulfills the function of collector agent for domain logon events, it can be installed on a DC or on any other server that belongs to the domain to work with.

FSSO-CA can work in two operation modes 'DC Agent' or 'Polling';

 

DC Agent mode.

  • On this mode, the Windows DC server collects its own login information and sends it to the collector agents
  • It is the recommended mode for FSSO due to scalability.
  • Requires one DC Agent (installed in C:\Windows\System32\dcagent.dll) on each Windows DC.
  • Windows DC Server must reboot after DC Agent installation.

 

jdelafuente_FTNT_1-1681715710560.jpeg

 

Workflow.

  1. The user authenticates against the Windows DC.
  2. The DC agent sees the login event and forwards it to the collector agent.
  3. The collector agent receives the event from the DC Agent and forwards it to FortiGate.
  4. FortiGate knows the user based on their IP address. 

To select this work mode, open FSSO-CA as administrator, SELECT Show Monitored DCs -> Select DC to Monitor... and select DC Agent Mode. (this work mode may require a server reboot for first time).

FSSO-DC_agent.png

 

Polling Mode.

  • In this mode: The collector agent 'polls' for logon events to each Windows DC.
  • No FSSO DC agent is required.
  • Every few seconds, the Collector Agent polls each DC for user login events, it requires ports: SMB (TCP/445) as main and [TCP/135, TCP/139 and UCP/137] as fall back.
  • This mode requires a less complex installation.
  • Polling mode can be configured in three ways:

 

Polling Method Main features Some issues
NetAPI

Polls the NetSessionEnum function every 9 seconds or less.

Retrieves login sessions including DC login events.

Faster but, if DC has a heavy system load some login events can be missed.
WinSecLog

Polls all security events on DC every 10 seconds or more

Only parses known event IDs by collector agent. (poller ID)

Log latency if the network is large or the system is slow.

Requires fast network links.

 

WMI

DC returns all requested login events every 3 seconds.

Improves WinSec bandwidth usage.

-----

 

jdelafuente_FTNT_3-1681715710941.jpeg

 

Workflow.

  1. The user authenticates with DC.
  2. The Collector Agent frequently polls the DC to collect user login events.
  3. The Collector Agent forwards logins to FortiGate.

To select this work mode, open FSSO-CA as administrator, select Show Monitored DCs -> Select DC to Monitor... and select Polling Mode.

 

FSSO-Polling.png

Related articles:

Technical Tip: Downloading FSSO agent software

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode

Technical Tip: FSSO Windows Directory Access Methods - Standard versus Advanced Mode

Technical Tip: FSSO Group Filter configured on Collector Agent

Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets