Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Victor
New Contributor III

FSAE User Experience

I am looking for real-world experience on FSAE, particularly related to v3 MR7 or v4 code. Here is my scenario: 1) We wish to use authentication for over-ride situations only. 2) Given that we are a large school board with a user-account base of around 80,000 we want to limit the over-ride groups to staff, giving us a much smaller user base to service. 3) Our users move from machine to machine, so FSAE needs to know when a user has logged off. 4) We currently use Novell' s Zenworks to image machines & deliver apps. This means that processes may run that will temporarily change the local user logged in, in order to seccurely update & install apps. 5) We will be using AD with ldap. 6) We would like to log only the overrides as experience has shown that excessive logging can bog down the Fortigates. My questions are: 1) Does anyone have a formula on what the resource impact FSAE has on the Fortigates? 2) Has anyone attempted criteria 6 (without any additional Fortinet hardware)? 3) I am curious about criteria 3 because, unlike Novell, Windows does not register when a user logs off. From what I can see the FSAE collector will be querying workstations resulting in increased network traffic and further workstation configuration to registry & firewall policies. Real-world experience would be greatly appreciated? 4) I read in the latest Fortigate Values Matrix, relating to version 4.0, that the max number of temporary user policy overrides is 400. The various earlier matrices make no mention of a limit. Anyone run up against this limit. 5) Has anyone experienced the issues of dynamic workstation logons for software updates or installs. I will be creating a call ticket on this issue, but would appreciate all the real-world experience you have to offer. Thanks Victor
4 REPLIES 4
rwpatterson
Valued Contributor III

With respect to Q3: FSAE knows when a user logs off. Best bet is to have static IP addressing. DHCP addressing can be problematic (as per another post here). With respect to Q5: FSAE allows you to not report those machine accounts which only install software, so that only real human accounts are used for firewall policy access. Hope that helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Victor
New Contributor III

Thanks for the quick response Bob. Are you suggesting that I fix the ips of all my workstations or assign the user to a fixed ip. I' m not sure that either would be a workable solution in our environment. Secondly, do you have a link to the thread you mentioned vis-a-vis Q3 or the title of the thread so I can search it. Victor
rwpatterson
Valued Contributor III

Here it is (Q3): http://support.fortinet.com/forum/tm.asp?m=38747&p=1&tmode=1&smode=1

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Victor
New Contributor III

Thanks Bob. A very interesting thread and how the user assigned static addresses would be my preference - though not without its caveats. What I find interesting is that the users ip address changed which leads me back to the logoff issue. A computer should not change its address while active except in cases where an administrator shuts down the port, blows away the lease and assigns that dhcp address elsewhere. That is the only case where a tenacious windows authentication would reconnect and change the address. In all other cases the user would logoff & the system should register that change & delete any orphaned entries. Under your suggestion, if the system does not delete logged off user/ip combinations then said user would have trouble when logging into another machine that was subject to the same policy. A real showstopper in an educational environment. My scenario is slightly different. What I want to do is use FSAE, not for network/internet access purposes, but as the method by which the Fortigate authenticates requests to override a Fortigate Web Filtering category. If you have the rights you can override; if not the site is blocked but you can go on your merry way to the sites that are not blocked. I have tested the proof of concept using a local user account and once I have clarified my concerns with Fortinet and, hopefully, with a wealth of end-user experience, I will implement FSAE and apply to a larger test user group. By-the-by, I believe that you had implemented FSAE and had abandoned it at one point. If memory serves me, it was an upgrade that killed it' s usefulness. Have you gone back to FSAE? When it was in operation did you see a marked increase in CPU/Memory usage? Thanks again for your quick responses. Victor
Labels
Top Kudoed Authors