Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
blackhole_route
New Contributor III

Group Cache Mode - behavior and things to consider

We've recently begun using FAC in a larger way. Our deployment is primarily Windows Event Log Polling to capture logon events, pushing authenticated users and groups down to the Fortigates for authentication in policy.

 

We've had a few instances where adding someone's group membership in AD has not updated into their FAC authentication table entry, even after logging off of Windows, rebooting, logging back on, and confirming group membership via gpresult.

 

After researching this, I believe this delay caused by our group cache mode being set to passive with what seems to me to be a rather long refresh interval -- 540 minutes.

 

As with much documentation, the details of passive versus active cache and what happens to the current logged on user auth table entry when the group cache expires, does not appear documented in the admin guide or is very spartan in description. Thought I would try here before opening a ticket with Support.

 

I think my questions are:

* what happens to the user authentication table when group cache expires when group cache is passive? And when active? I _hope_ the auth table remains untouched

* I'm understanding based on docs that when active, at group cache expiration, the group is requeried to find current group memberships and update the auth table accordingly.

* What I _think_ will happen when cache mode is passive is: when the group cache expires, the next logon event for a user in that group will requery the group for current members and update the table accordingly.

* What are the negative implications of turning down passive group cache to a low value - like 30 minutes other than increased and more frequent AD queries).

* Likewise, what are the implications of changing from passive group cache to active group cache? Other than increased load to always update group memberships on a more regular interval for all logged on users.

 

Thanks for any knowledge you can share.

 

1 REPLY 1
blackhole_route
New Contributor III

I think I found some good info @afroman posted on reddit about this a couple years ago. https://www.reddit.com/r/fortinet/comments/3afsa0/authenticator_does_not_reflect_change_in_window/

 

I certainly welcome any other feedback. The biggest thing for me to consider is that we're what I would consider a fairly large deployment - around 15,000 active FSSO user sessions and I'd prefer not thrashing our AD servers or our FAC VM.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors