We've been running FSAE/FSSO collector agents on our DCs for some time and everything seems to be working just fine in terms of user authentication in the firewall.
But I have noticed DCOM errors in the Event Log on the main DC, such as the following:
Event ID = 10028
Source = DistributedCOM
Message = DCOM was unable to communicate with the computer 10.20.30.40 using any of the configured protocols; requested by PID 999 (C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe).
Investigations of the IP Addresses reported show that these errors occur in 2 specific scenarios:
(1) when one of our Fuji Xerox printers is used by a staff member to Scan a document which is saved to an SMB File Share on a server (there is a domain user account used by the printer to authenticate access to the share); or
(2) when our Barracuda Message Archiver checks user mailboxes in Exchange to synchronise the list of mailbox folders (this runs under a specific domain user account each evening)
I have tried excluding the 2 x domain user accounts used by those processes, so that the collector 'ignores' them. This has NOT fixed the Event Log errors.
Q. is there any way to tell the Collector to ignore specific IP Addresses on the network? (there is no point it trying a DCOM connection to the BMA or to a Printer).
Hello Frosty,
What should work is editing Windows AD registry with specific IP (not range) :
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent > dc_agent_ignore_ip_list > modify > Value Data: 10.20.30.40; Multiple values separated by semicolon.
P.S. wanted to add picture but it fails
Alivo
livo
Hey! Thanks so much Alivo!
I tried this registry setting on the main DC a few minutes ago, then kicked off one of the synchronisation jobs on the Barracuda Message Archiver. So far, so good, no new DCOM errors reported.
I'll know for sure tonight when the main sync tasks run.
Cheers,
Frosty
EDIT: there is an error in my original post; Event ID = 10028 (not 14554)
Can now confirm, this indeed fixed my DCOM error issues; none reported since applying the registry setting 'fix'.
So I need to re-open this discussion, as the error logs have returned with a vengeance!
Since implementing Always On VPN a few months ago, I am now getting Event ID 10028 again for every VPN client.
I would like to block a Range of IP Addresses (e.g. everything starting with 1.2.3.whatever) as it just isn't possible to put in 254 individual IP addresses from a range.
We have the same idea? Does anyone has an idea?
I would also like to block a range? Is that possible?
Hello,
Currently, this needs to be done manually in registry as per my previous post.
Multiple IPs to be separated by ; . The registry key should accept about 65 000 addresses.
Example: 192.168.1.1;.192.168.2.2;192.168.3.3
P.S. we hope to have this feature more user friendly in the future.
Best Regards,
Alivo
livo
Thanks Alivo,
I will try a long, LONG, L-O-N-G string of individual IPs, semi-colon separated, and will let you know how it goes.
Cheers,
Steve
Hello Steve,
Please be aware that the when the string is too long (I tested with 10 000 characters) the string itself can become
"invisible" while still applied. This is registry issue.
Best Regards,
Alivo
livo
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.