We've recently begun using FAC in a larger way. Our deployment is primarily Windows Event Log Polling to capture logon events, pushing authenticated users and groups down to the Fortigates for authentication in policy.
We've had a few instances where adding someone's group membership in AD has not updated into their FAC authentication table entry, even after logging off of Windows, rebooting, logging back on, and confirming group membership via gpresult.
After researching this, I believe this delay caused by our group cache mode being set to passive with what seems to me to be a rather long refresh interval -- 540 minutes.
As with much documentation, the details of passive versus active cache and what happens to the current logged on user auth table entry when the group cache expires, does not appear documented in the admin guide or is very spartan in description. Thought I would try here before opening a ticket with Support.
I think my questions are:
* what happens to the user authentication table when group cache expires when group cache is passive? And when active? I _hope_ the auth table remains untouched
* I'm understanding based on docs that when active, at group cache expiration, the group is requeried to find current group memberships and update the auth table accordingly.
* What I _think_ will happen when cache mode is passive is: when the group cache expires, the next logon event for a user in that group will requery the group for current members and update the table accordingly.
* What are the negative implications of turning down passive group cache to a low value - like 30 minutes other than increased and more frequent AD queries).
* Likewise, what are the implications of changing from passive group cache to active group cache? Other than increased load to always update group memberships on a more regular interval for all logged on users.
Thanks for any knowledge you can share.
I think I found some good info @afroman posted on reddit about this a couple years ago. https://www.reddit.com/r/fortinet/comments/3afsa0/authenticator_does_not_reflect_change_in_window/
I certainly welcome any other feedback. The biggest thing for me to consider is that we're what I would consider a fairly large deployment - around 15,000 active FSSO user sessions and I'd prefer not thrashing our AD servers or our FAC VM.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.