| Description | This article describes how FSSO detects logged-off users. |
| Scope | FortiGate. |
| Solution |
User removal from FSSO is managed through a workstation check and a dead entry timer. In other words, it will not read Windows Logoff Events.
By default, the CA utilizes WMI to retrieve the username of the currently logged-in user. If the communication is completed successfully and the username matches with the CA’s database, the entry is retained.
If the username is different or no user is logged in, the FSSO entry is removed from the CA and consequently from the FortiGate.
If the workstation check fails (due to being disabled, the PC being off or offline, or potential WMI permission issues), the dead entry timer begins.
The user’s FSSO session will be cleared once the timer reaches zero (default is 8 hours). The timer resets with each successful workstation check or when the same user logs on again from the same PC/IP.
Related articles: Technical Tip: Explanation of FSSO timersTroubleshooting Tip: User status 'Not Verified' on the FSSO Collector Agent |
