Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
J13224
New Contributor III

Is FortiGate as a local FSSO poller with mutiple DC's possible?

Can FSSO work in a small AD network with 2 DC's using the FG as a Local FSSO poller (Agentless)

I have it configured with 2 SSO connections one to each DC but it does not seem to be capturing logons to the 2nd DC. 

 

I have seen mixed information as to if this is possible without an "external" collector agent.

 

Thanks,

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi J13224,

local polling from FortiGate is possible.

However it has it's limits. Mainly:

- no workstation checks

- no other methods of log collection but WinSec polling only with fixed EventIDs polled

- no IP change monitoring

- logon processing load affect firewall

 

Standalone Collector Agent is from my point of view much better solution.

Even for small environments like 1-2 DCs.

I would suggest to install Collector on one DC (or both for resiliency, but FortiGate will use only one at a time and switch to other when old one is unreachable).

And I wouls suggest to use WinSec polling with WMI (last polling option in settings).

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

J13224
New Contributor III

Thanks Tomas,

 

I think I will deploy with the Collector Agent as you suggest,  I like the additional features.

 

But I am wondering, in case it comes up in the future. Do you know if Fortigate can support local polling from the FortiGate from multiple DC's.  "Technically" it looks like is should and the unit does not display any errors when I set it up,  it just does not record the secondary server logons and I do not get any debug errors.  In fact I see the FG logon in the security event viewer of the second DC.  The events just do not get merged with the primary.

 

Thanks again,

 

Jim Greco

 

 

xsilver_FTNT

Sorry to say, but I would not bother with local polling for more than a single DC in single domain and few users.

Anything bigger than that is way better via standalone Collector Agent of FortiAuthenticator.

Both can handle single domain and few users up to tens of DCs, multidomain environment and thousands of users.

Why I should load FortiGate and use precious resources where what I need from FW is speed, and I do have plenty of resources on DCs + free of charge standalone Collector Agent ?

I do not really see the point in local polling beside initial test (POC).

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors