I am looking for real-world experience on FSAE, particularly related to v3 MR7 or v4 code. Here is my scenario:
1) We wish to use authentication for over-ride situations only.
2) Given that we are a large school board with a user-account base of around 80,000 we want to limit the over-ride groups to staff, giving us a much smaller user base to service.
3) Our users move from machine to machine, so FSAE needs to know when a user has logged off.
4) We currently use Novell' s Zenworks to image machines & deliver apps. This means that processes may run that will temporarily change the local user logged in, in order to seccurely update & install apps.
5) We will be using AD with ldap.
6) We would like to log only the overrides as experience has shown that excessive logging can bog down the Fortigates.
My questions are:
1) Does anyone have a formula on what the resource impact FSAE has on the Fortigates?
2) Has anyone attempted criteria 6 (without any additional Fortinet hardware)?
3) I am curious about criteria 3 because, unlike Novell, Windows does not register when a user logs off. From what I can see the FSAE collector will be querying workstations resulting in increased network traffic and further workstation configuration to registry & firewall policies. Real-world experience would be greatly appreciated?
4) I read in the latest Fortigate Values Matrix, relating to version 4.0, that the max number of temporary user policy overrides is 400. The various earlier matrices make no mention of a limit. Anyone run up against this limit.
5) Has anyone experienced the issues of dynamic workstation logons for software updates or installs.
I will be creating a call ticket on this issue, but would appreciate all the real-world experience you have to offer.
Thanks
Victor