I don't use FSSO agent. I only use Poll Active Directory configuration (agentless). The communication is just between DC and Fortigate. My DC's are with the last patch.

Since Microsoft hardened the process in how remote event logs are viewed and your doing agentless config I think you only have two options. Setup FSSO collector agent on a Windows Server with June or higher patch or wait for Fortinet to update FortiOS with a fix for Microsoft's changes. Who knows when that will be.

Hi All,

I see we are not the only ones stuck with this issue. Since neither 6.2.10 or 6.4.7 are yet released would anybody on the forum here know the release date for 6.2.10 (for 400E)? I need to know what to say to the customer. I don't want to go back to the FSSO agent :(

Many Thanks,

Tukan wrote:

I don't want to go back to the FSSO agent :(

Why not?

To be honest, for small company with just few users (<20) it might be OK to use direct polling from FGT.

But for anything bigger, serious, or with higher logon rate I would definitely go for standalone Collector Agent.

Because it seems to me better solution as: - it has no issue as it is part of domain member machine

- DNS and data about workstations resolved locally on machine (while you still have option for alternative DNS servers) - has its own resources and do not add extra load on FGT RAM/CPU, so FW can do firewalling and not babysitting/gathering of the user data

- scalable and resilient, while only resiliency on FGT is HA

- various user data gathering methods and logging, not just hardcoded WinSec

- various timers on how to handle logons, like dead entries etc.  where FGT has just polling interval AFAIK

- LDAP cache management

- free of charge

If I'd sort SSO solutions by preference:

1. FAC (FortiAuthenticator) + FortiClient SSOMA (but FAC is paid solution + you'd need license for SSOMA, but that's best solution IMHO where you can get most accurate SSO data)

2. FAC SSO .. no SSOMA agents on workstations, but still VERY versatile collector inside FAC

3. standalone Collector Agent .. and methods by preference 1. WinSec+WMA 2. WinSec 3. DCAgents .. rest like NetAPI is legacy.

4. FGT .. and I would opt for RSSO if possible and use FSSO direct polling as last resort.

So in short, standalone collector is pretty good and stable solution (free of charge, no licenses, no extra HW/VM). Best solution for no extra money.

Hi XSilver,

Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version. We have a habit to upgrade FortiOS when we can to latest stable release for security reasons with pretty much all the clients and worrying about update of DCAgent updates have lead to decision to go LDAP agentless. The idea was that only FortiGate Upgrade needs to happen, no more. That is why we decided to use LDAP. The site has more than 20 users but we have had no issues with accuracy of LDAP agent-less until now. I do understand your points, but we will stick to agent-less until we run into requirement it cannot fulfill.

To supplement your info this is what I got from TAC today. The info might be handy for some techs here:

The releases are planned (!) for:

6.4.7 beginning of September

7.0.2 beginning of October

6.2.10 for the beginning of November

Please keep in mind that these are planned only, the releases could be delayed

Good luck,

FortiOS 6.4.7 has been released and includes the Polling fix: FortiOS Release Notes | FortiGate / FortiOS 6.4.7 | Fortinet Documentation Library

725056

FSSO local poller fails after recent Microsoft Windows update ( KB5003646, KB5003638, ...).

Note however that there's another Polling issue still listed under Known issues:

722234

FSSO AD polling mode connector does not work with LDAPS.

Russ

NSE7

Thanks for reminder about FOS 6.4.7.

List of fixed versions of FortiOS and FortiAuthenticator in my post from 13th August.

Tukan wrote:

Problem was that we wanted to reduce costs which have been repeated (and not paid for by client) after we had to upgrade each DC agent on multiple sites to match the Firewall OS version.

I was reading some older posts and that quite common misunderstanding caught my attention.

If there is FortiGate (FGT in short) talking via FSSO protocol to some Collector Agent (multiple FGTs and multiple Collectors possible).

Then they are suggested to roughly match the versions.

Which means that if you had FGT version 5 or 6, you should have Collector of version 5 at least (4.3 collectors "died" with FortiOS 4.3 years ago).

If you have nowadays FGT version 6 or freshly released 7.x then you can still use Collector of version 5.

Think about it in intentions of interoperability, like if the Collector would be for example RADIUS or LDAP server.

Yes, Collector does evolve over the time as FSSO protocol also evolve.

But FortiOS and Collector agents are independent entities!

And so generally speaking ANY FortiOS 5.x  and above can talk to ANY Collector running on 5.x version and there are no problems expected.

Yes, FortiOS Release Notes does contain interoperability section. And FSSO version is mentioned there. But that is latest tested version (as FortiOS and FSSO are usually released together). It is also fully supported version. However it does not mean that older versions will not work.

What is more important is to keep Collector and agents on the same version !

As those FSSO elements interact more often and carry more info between each other.

Communication towards FGT is more standardized and more or less same for years. The only differences coming in are new features like FortiNAC or FortiEMS tags being delivered to FGT over FSSO.

But if you would not need those features or you run older version of Collector, it will simply not offer just that single particular feature to FGT.

Anything else, and older, is supposed to work as before.