Created on 04-11-2022 02:48 PM Edited on 04-12-2022 12:26 PM By Anonymous
Description | This article describes how the FSSO Collector Agent performs name resolution of the workstation as a part of forming the logon event. |
Scope | FSSO Collector Agent. |
Solution |
If collector Agent gets username and workstation name ( either from DC agent or security event log ), as a part of forming the fsso logon for the given user, the FSSO collector agent has to resolve the workstation name in order to get the current IP address of the workstation from which the user is logged in.
The FSSO name resolution logic works in this order:
1). Check the hosts file in order to find a possible entry for the given hostname. If no entry is found, move to step 2.
2). Try to do a DNS lookup with the configured Alternative DNS servers in the FSSO Collector Agent settings, if it fails, continue to step 3.
Example: 04/04/2022 15:28:10 [ 3708] DnsQuery() failed for JSMITH.test.lab, error code:9501
3). Call Windows API function gethostbyname(), first with the full name, JSMITH.test.lab, then with the hostname only, JSMITH. OS might resolve the name using one of these possible ways: - Check local DNS Cache
Example: 04/04/2022 15:28:10 [ 3708] resolve_ip_internal: dns look up failed, call gethostbyname():JSMITH.test.lab
FSSO Collector agent does not have any control nor can influence the name resolution in that case. If this step also fails, move to step 4.
4). If steps 1, 2, and 3 failed, try to do a DNS lookup with the Alternative DNS suffix, which is configured under Advanced Settings of the FSSO Collector Agent, JSMITH.ad.test.lab
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.