FSSO with polling mode guideline

Dry · ‎01-21-2025

I want to setup the FSSO with the polling mode of CA

DC in Domain A, DC Domain B, DC Domain C (without agent) -> FSSO Collector agent inistalled in a workgroup server -> Fortigate

is there any detail guideline i can follow ?

rmreddy · ‎01-21-2025

Hi
Please go through the below link for your reference.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136

pavankr5 · ‎01-22-2025

Hello @Dry

On the FortiGate Go to Security Fabric > External Connectors, create a new FSSO Agent on Windows AD connector, and add the Collector Agent's IP and password.

Install it on a workgroup server and configure it to communicate with FortiGate. Enable polling mode to retrieve logon events from domain controllers.
Make sure they are reachable from the Collector Agent. Open required ports (TCP/445, TCP/135, TCP/139, UDP/137) for communication.

Please refer below article for reference on FSSO Agent in polling mode
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136

Thanks,

Pavan

pminarik · ‎01-22-2025

> FSSO Collector agent inistalled in a workgroup server

For full, proper, functionality the Collector agent absolutely must be installed on a server that it domain-joined to the domain that is to be monitored.

If the Collector is not a member of the polled domain, it will have wide consequences to what is possible:

Polling method: Only DC Agent will likely work. Others expected to fail due to permission problems (source PC not in the same domain as the DC).
Group info retrieval: Should be OK, basic LDAP connection.
Workstation checks: Will not work, permission problems (source PC not in the same domain as the checked workstation).
Initial config may need to be hacked together via registry (domain auto-discovery will likely fail and you will not be able to select which domains the Collector should monitor)

Strongly not recommended.

[ corrections always welcome ]

Dry · ‎01-22-2025

will agent mode solve those issue ?

Debbie_FTNT · ‎01-23-2025

It will solve some issues, but not many.

Essentially:

- New logins can be received from DC agent and will maybe be fine

-> Collector Agent will have to do DNS lookups for workstations

-> if Collector agent is not in the domain, it must be manually pointed to correct DNS servers, and configured with DNS suffixes to check

-> workstation checks (verifying if a user is still logged in) will be impossible

It will certainly require a lot of custom configuration on Collector Agent, and the installation itself may run into issues. Like pminarik, I would not recommend such a setup.

Cheers,

Deborah

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

rmreddy · ‎01-23-2025

Hi,

If not looking to install FSSO agent in the server, follow the below link for your reference.
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/888827/poll-active-directory...
If want to install FSSO agent but not DC agent, follow the below link for your reference.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-Agent-in-polling-mode/ta-p/228136

Usually it is suggested to use agent based i.e. with FSSO agent.
Regarding polling mode or DC agent mode, it basically depends on the network. If it is large network setup with lot number of users, then agent based is recommended.

FSSO with polling mode guideline

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website