Description
This article explains the limitations that an FFSO local poller has compared to an FSSO collector agent.
Scope
FortiGate installations with FSSO enabled.
Solution
The FSSOD process is responsible for FSSO when the user is not using the agent but the FortiGate polls event logs by itself.
While the local poller for FSSO can be used for this, it has limited functionality compared to having the agent installed within the network. These limitations include:
- No dead entry timer.
- No workstation logoff check.
- No option to track if the user workstation did change it's IP address.
- EventIDs cannot be selected for monitoring.
- No ignore user list.
- NTLM based authentication is not supported despite how 'set ntlm enable' is available in firewall policy.
- If there are a large number of user logins at the same time, the FSSO daemon misses some. Consider using FSSO agent mode if this is an issue.
- The FSSO daemon does not support all of the security log events that are supported by other FSSO scenarios. For example, only Kerberos log in events 4768 (required) and 4769 (belongs to 4768) are supported.
Related Articles:
Technical Tip: Windows event IDs used by FSSO in WinSec polling mode
