FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadzada
Staff
Staff
Description This article describes how the FSSO Collector Agent performs name resolution of the workstation as a part of forming the logon event.
Scope FSSO Collector Agent.
Solution

If collector Agent gets username and workstation name ( either from DC agent or security event log ), as a part of forming the fsso logon for the given user, the FSSO collector agent has to resolve the workstation name in order to get the current IP address of the workstation from which the user is logged in.

 

The FSSO name resolution logic works in this order:

 

1). Check the hosts file in order to find a possible entry for the given hostname. If no entry is found, move to step 2.

 

aahmadzada_2-1649661877567.png

 

2). Try to do a DNS lookup with the configured Alternative DNS servers in the FSSO Collector Agent settings, if it fails, continue to step 3.

 

aahmadzada_5-1649662038216.png

 

 

Example:

04/04/2022 15:28:10 [ 3708] DnsQuery() failed for JSMITH.test.lab, error code:9501
04/04/2022 15:28:10 [ 3708] DNS lookup: workstation name:JSMITH.test.lab, dns server:10.10.3.19, ip:00000000:00000000

 

3). Call Windows API function gethostbyname(), first with the full name, JSMITH.test.lab, then with the hostname only, JSMITH.
In that step, the name resolution is handed over to the OS, so FSSO Collector Agent will rely on the results of the name resolution provided by the OS.

OS might resolve the name using one of these possible ways:

- Check local DNS Cache
- Query configured DNS servers
- WINS, NetBIOS, LLMNR and etc.

 

Example:

04/04/2022 15:28:10 [ 3708] resolve_ip_internal: dns look up failed, call gethostbyname():JSMITH.test.lab
04/04/2022 15:28:10 [ 3708] resolve_ip_internal: workstation:JSMITH.test.lab [10.10.3.28:0.0.0.0] time:0

 

FSSO Collector agent does not have any control nor can influence the name resolution in that case. If this step also fails, move to step 4.

 

4). If steps 1, 2, and 3 failed, try to do a DNS lookup with the Alternative DNS suffix, which is configured under Advanced Settings of the FSSO Collector Agent, JSMITH.ad.test.lab

 

aahmadzada_6-1649662212904.png

 

Contributors