Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
imacosx
New Contributor

FSSO - polling mode limit

Hi,

 

I have a doubt about the limits of FSSO polling mode configuration. A provider set up that method in our LAN and works fine for a couple of users, but when they deployed the configuration for all the network, It didn't work. 

 

I was wondering if there is some kind of limits or restrictions to apply this method into a network. 

 

P.S. The network has 900 clients more or less.

4 REPLIES 4
Carl_Wallmark
Valued Contributor

Hi,

 

Polling mode is more suitable for smaller networks, with 900 user the polling will have issues with the rate of logon/logoff events.

 

Use DC agents instead.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
xsilver_FTNT
Staff
Staff

agree with "Selective", local polling directly from FGT is entry level of FSSO. Serves good for small environments like SoHo, single office few employees (<~100). All FSSO and the load also depends on environment type and usage and users behavior. It will be different load for company where everyone log in morning to workstation and leaves afternoon (9-to-5), and different for campus or library where there is student logging in and out every 90 minutes and to classes all of them within some 10 minutes.

 

So all those aspects has to be taken in account in FSSO design.

 

FGT basically poll Windows Security (WinSec) log every 10 seconds, not changeable, limited logging & debug.

Standalone Collector Agent can accommodate DCAgents, TSAgents + poll WinSec / NetAPI / new WMI (best polling option with lowest traffic volume), log, debug log, event ID map so just selected IDs can be polled or so .. much better solution for Enterprise grade solutions.

FortiAuthenticator as Collector, even bigger solution with possible integration of multiple authentication data sources turned into FSSO and then provided to multiple FGT units.

 

Regarding FSSO limits on FGT check "FSSO Polling" group for your unit size on Max Values site for your FortiOS

For FOS 5.2.2 it's here http://help.fortinet.com/.../5-2-2/max-values.html

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

xsilver_FTNT

as I tried to tell, there is not exact number like "it can hold max 42 users" .. NO!

It depends on number and frequency of logon events and strength of your FGT unit as CPU will handle this via "authd" daemon, basically.

RTT (round trip time) below some 100ms to polled DC is another limit, shorter RTT the better. Once it climbs over some 100ms it start to be a bit unpredictable in higher load (logon events to process increased). It also bring additional load to network for DNS resolutions (FSSO highly depend on DNS) and LDAP resolves. So local network is recommended.

If you have high load, spread network like on DC in New York and another in Sydney, or non native clients like MacOS then I'd suggest to use Collector Agent on DC or even separate server. It's always better option and it makes almost no additional load to CPU of DC, it's pretty light weight solution.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

imacosx
New Contributor

Hi,

 

Thanks so much for the answer. Another question related to the subject.

 

If polling mode is suitable for smaller networks, what it is the maximum number of clients that can hold this configuration.

 

EDIT:

----------

I did see xsilver answer when I wrote this post. 

 

Labels
Top Kudoed Authors