FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
In the agentless approach, FortiGate polls domain controllers directly to obtain user logon information, eliminating the need for a separate agent installation. While this simplifies deployment, there are performance and scalability considerations to be considered.
Advantages of Agentless FSSO (Polling Mode):
Simplified Setup: FortiGate handles the entire process, so no additional software or servers are needed.
Lower Resource Requirements: No external Collector Agent means fewer components to manage.
Cost-Effectiveness: Suitable for small to mid-sized deployments where deploying a dedicated Windows server just for FSSO is impractical.
Direct Integration with Domain Controllers: FortiGate connects directly to domain controllers using WMI and LDAP, streamlining the authentication process without intermediaries.
Ideal for SME Environments: This mode is particularly effective in smaller networks with fewer users and relatively static authentication patterns.
Limitations of Agentless FSSO (Polling Mode):
Scalability Constraints: As the number of users and authentication events increases, the polling process can place additional load on the FortiGate and domain controllers. This can lead to performance degradation in large environments.
Resource Overload on FortiGate: The polling process involves reading event logs from the domain controller over WMI, which consumes CPU and memory on the FortiGate.
Limited Logon Coverage: Certain login scenarios, such as remote desktop sessions, cached credentials, or users logged into multiple devices, may not be captured accurately.
Delayed Logon Detection: Since polling occurs at set intervals, user logins may not be detected immediately, resulting in minor delays in policy enforcement.
Fewer Advanced Features: Agentless mode lacks some of the advanced features available through the Collector Agent, such as logoff detection, workstation verification, and limited complex logon patterns.
