Description
This article describes how to optimally verify a user is still logged in to a workstation via FSSO.
Scope
All supported versions of FortiGate.
Solution
Microsoft Windows does not provide reliable logoff event monitoring that can be read by FSSO.
In order to verify if the same user is still logged on to a workstation, the FSSO Collector Agent needs to send a WMI query to each workstation across a preset interval.
The default Workstation Verify Interval is set to 5 minutes and can be adjusted as shown below:
However, some corporate environments with large amounts of workstations can experience delays in workstation verification regardless of what the timer is set to.
This mostly occurs when there are thousands of workstations queued for WMI query while many of them are unreachable.
In extreme cases, it may take even several hours before all workstations in the queue are queried.
To mitigate this issue, FSSO Collector Agent v5.0.0301 and above (released with FortiOS 6.4.7+ and 7.0.1+) adds multi-threading support for Workstation Verification.
This option can be enabled under FSSO Collector Agent -> Advanced Settings -> General tab -> Workstation check thread count.
By default, this option is set to '0' and only 1 worker/thread will be used.
However, for example: if the Workstation check thread count is set to '10', the queue of workstations to be checked with a WMI query will be split into 10 smaller sub-queues.
Each sub-queue will be processed by separate worker, which can achieve up to 10x faster processing of the Workstation check queue.
Note:
It is maybe necessary to use different amount of Workstation check threads for different environments.
This will mostly depend on the workstation count and how many of the workstations are unreachable (TCP timeout).
Related articles: