Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
Honored Contributor

Excluding FSSO service account login attempts on some hosts

Hello

We are using FSSO CA mode.

We noticed frequent login attempts on servers from FSSO CA VMs with the FSSO service account.

    Login Process: NtLmSsp
    Authentication Package: NTLM
    Package Name: NTLM V2
    winlog.task: Logon
    event.action: logged-in

These login attempts are not wanted on servers, since we need FSSO for client hosts only.

Tried to search on FSSO CA configuration tool how to filter the target hosts (eg.: by IP range) but didn't find such feature.

Any idea on how we can do such exclusion?

AEK
AEK
6 REPLIES 6
Sheikh
Staff
Staff

Hello @AEK 

 

Please add all the service accounts in "ignore user list" in FSSO collector agent settings. See the technical document below.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-and-why-to-use-the-Ignore-User-List-op...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
AEK
Honored Contributor

Hello Sheikh

Thanks for your response. My issue is not that FSSO agent catches login events of service account users, but my concern is that FSSO service account is trying login on all our servers.

AEK
AEK
akanibek
Staff
Staff

Hey AEK,

FSSO CA to verify workstation tries to connect to each machine to check if the user still logged via wmi. May be these events are related to it? 
Meanwhile, the most important here is if this event overrides the current, proper user account, or not?

 

 

 

Asset
AEK
Honored Contributor

Hello

No it doesn't impact the proper user account since we don't need to monitor the servers. We only need to prevent these login attempt on server hosts.

AEK
AEK
hbac
Staff
Staff

Hi @AEK,

 

Can you check 'show monitored DCs', then 'Select DC to Monitor'? How many servers are impacted? 

 

Regards, 

AEK
Honored Contributor

Hi hbac

There are 6 monitored (screenshot).

It seems that any windows servers part of the domain are impacted (more than 50).CA.png

AEK
AEK
Top Kudoed Authors