Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎10-16-2023 02:37 PM

Excluding FSSO service account login attempts on some hosts

Hello

We are using FSSO CA mode.

We noticed frequent login attempts on servers from FSSO CA VMs with the FSSO service account.

    Login Process: NtLmSsp
    Authentication Package: NTLM
    Package Name: NTLM V2
    winlog.task: Logon
    event.action: logged-in

These login attempts are not wanted on servers, since we need FSSO for client hosts only.

Tried to search on FSSO CA configuration tool how to filter the target hosts (eg.: by IP range) but didn't find such feature.

Any idea on how we can do such exclusion?

AEK
AEK
Labels:
540
0 Kudos
6 REPLIES 6
Sheikh
Staff
Staff

Created on ‎10-17-2023 03:09 AM Edited on ‎10-17-2023 03:10 AM

Hello @AEK 

 

Please add all the service accounts in "ignore user list" in FSSO collector agent settings. See the technical document below.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-and-why-to-use-the-Ignore-User-List-op...

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
518
0 Kudos
AEK
SuperUser
SuperUser
In response to Sheikh

Created on ‎10-17-2023 07:44 AM

Hello Sheikh

Thanks for your response. My issue is not that FSSO agent catches login events of service account users, but my concern is that FSSO service account is trying login on all our servers.

AEK
AEK
500
0 Kudos
akanibek
Staff
Staff

Created on ‎10-17-2023 08:12 AM

Hey AEK,

FSSO CA to verify workstation tries to connect to each machine to check if the user still logged via wmi. May be these events are related to it? 
Meanwhile, the most important here is if this event overrides the current, proper user account, or not?

 

 

 

Asset
496
0 Kudos
AEK
SuperUser
SuperUser
In response to akanibek

Created on ‎10-18-2023 02:59 AM

Hello

No it doesn't impact the proper user account since we don't need to monitor the servers. We only need to prevent these login attempt on server hosts.

AEK
AEK
466
0 Kudos
hbac
Staff
Staff

Created on ‎10-17-2023 08:19 AM

Hi @AEK,

 

Can you check 'show monitored DCs', then 'Select DC to Monitor'? How many servers are impacted? 

 

Regards, 

493
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-18-2023 03:45 AM

Hi hbac

There are 6 monitored (screenshot).

It seems that any windows servers part of the domain are impacted (more than 50).CA.png

AEK
AEK
462
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.