Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Poll Active Directory server
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Poll Active Directory server
Our AD is hardened and our service accounts are limited in what they can do. I have a service account that I am attempting to poll active directory groups for usernames. Currently my service account can query ldap and view event logs. What other permissions would I need the service account to have. Currently I have a red arrow on my active domain controller.
Our domain controllers are up to date and our Fortimanager is version 6.4.3 build 2201.
The connector does get a green arrow if we use domain admin credentials.
thank you
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bilel,
unfortunately the pictures were not attached well.
However, for example my lab FortiOS 6.4.5 shows two possibilities in Security Fabric / External Connectors / New External Connector / "Endpoint/Identity" section.
1. FSSO Agent on Windows AD
2. Poll Active Directory Server
Those two are directly related to FSSO.
First "FSSO Agent on Windows AD" will point FGT to external, standalone, Collector Agent. Which can be installed on DC, or on any domain member Windows server class machine. And which, besides other modes, can poll Windows Security log, or query WMI for Windows Security events and specifically for those user logon related ones. That second method referred in Collector Agent as WinSec-WMI is what I would recommend to use. As it will gather just logon events directly via WMI, and relief Collector from extra burden when pure WinSec log is sequentially read and then parsed for just few suitable logon events while majority of collected data are "garbage" for FSSO purpose.
Second, "Poll Active Directory Server" will make FGT to do similar job as Collector does. Polling DCs for logon events. But it is less favorite method for me as it lacks versatility of standalone Collector Agent and brings extra load on FGT side.
If you can not keep WinSec logs, and WMI will not be enough to keep up speed in which your system destroys the evidence, then there is supposed to be MSFT way to duplicate logs to external WinSec log collector. But I never configured it, just hit that as some customers has standalone Collector Agent set to read WinSec logs not from all the DCs but from that single MSFT collector only. But I have little details on how it's made on MSFT side.
Alternatively, in standalone Collector Agent, or directly on FGT side in External Connectors, there is "RADIUS Single Sign-On Agent" .. sometimes referred simply as RSSO. Which is method where collector (no matter if standalone Collector or FGT in that role) learns logons events from provided RADIUS Accounting Start/Stop/Update messages. So for example if your users are authenticated via NPS, for example to WiFi, then NPS or wireless controller (WLC), should be able to send Accounting Requests to collector (again, standalone Collector Agent, or FGT in that role, or even FortiAuthenticator, which is probably not your case and I noted FortiAuthenticator just to complete listing of possible recipients).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your comment I'm not sure if you do poll directly from FGT or you are using standalone Collector Agent. And more precisely how do you gather logon events (DCAgents, Polling and which one, Advanced/Standard mode on Collector) ...
However I would suggest to check this KB on 'Restricting FSSO service account'
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36039
For more than few users my favorite setup is standalone Collector Agent polling WinSec+WMI. Two of those Collectors run on DCs for independent and resilient setup, used in a single SSO Connector on FGT side. If more than single FGT is used and same user groups are supposed to be used, then Group Filter defined as Global/Default directly on Collector and so read from FGT. Instead of filter pushed from every single FGT to Colelctor as that setup is then prone to errors on FGT admin side. FMG might eliminate that.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear,
@ xsilver_FTNT. I read your posts and I appreciate your participation
I have the same issue with a Fortigate101E running FortiOS 6.4.6.
I'm working on a POC to deploy FSSO in order to explore NG functionality
As you said, our system department didn't agree to install agent on DCs so we've Installed a windows machine for the collector agent 5.0.0297 with Advanced access information with polling mode.
As I documented, i can conclude that my problem is that the collector couldn't read Event logs on ADs because of the extra number of auth (Company with more than 1500 users) and the small time configured to keep the logs (Logs are redirected to an RSA and deleted within 2 minutes regarding to the size of the Event log file)
#First, I have the External Connectors 'Active Directory Connector' Down. and why we can see user and groups when using FSSO agent on windows AD!
Should we use ''FSSO agent on windows AD'' or AD Connector is enough on polling mode
[image][/image]
Please advice.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bilel,
unfortunately the pictures were not attached well.
However, for example my lab FortiOS 6.4.5 shows two possibilities in Security Fabric / External Connectors / New External Connector / "Endpoint/Identity" section.
1. FSSO Agent on Windows AD
2. Poll Active Directory Server
Those two are directly related to FSSO.
First "FSSO Agent on Windows AD" will point FGT to external, standalone, Collector Agent. Which can be installed on DC, or on any domain member Windows server class machine. And which, besides other modes, can poll Windows Security log, or query WMI for Windows Security events and specifically for those user logon related ones. That second method referred in Collector Agent as WinSec-WMI is what I would recommend to use. As it will gather just logon events directly via WMI, and relief Collector from extra burden when pure WinSec log is sequentially read and then parsed for just few suitable logon events while majority of collected data are "garbage" for FSSO purpose.
Second, "Poll Active Directory Server" will make FGT to do similar job as Collector does. Polling DCs for logon events. But it is less favorite method for me as it lacks versatility of standalone Collector Agent and brings extra load on FGT side.
If you can not keep WinSec logs, and WMI will not be enough to keep up speed in which your system destroys the evidence, then there is supposed to be MSFT way to duplicate logs to external WinSec log collector. But I never configured it, just hit that as some customers has standalone Collector Agent set to read WinSec logs not from all the DCs but from that single MSFT collector only. But I have little details on how it's made on MSFT side.
Alternatively, in standalone Collector Agent, or directly on FGT side in External Connectors, there is "RADIUS Single Sign-On Agent" .. sometimes referred simply as RSSO. Which is method where collector (no matter if standalone Collector or FGT in that role) learns logons events from provided RADIUS Accounting Start/Stop/Update messages. So for example if your users are authenticated via NPS, for example to WiFi, then NPS or wireless controller (WLC), should be able to send Accounting Requests to collector (again, standalone Collector Agent, or FGT in that role, or even FortiAuthenticator, which is probably not your case and I noted FortiAuthenticator just to complete listing of possible recipients).
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again,
Come back to give a happy news,
I got finally the "FSSO Agent on Windows AD" UP, also the FSSo Collector shows now the FGTs on the Show Service Status.
I can get the User's IDs on the Show Logon Users from the EventLog.
The policy is working using the user's ID
Helpful link: https://forum.fortinet.co...aspx?m=193413&fp=2
I will be available for assistance if any similar problems!
Thanks Again
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bilel,
What was your solution? The link you provided leads to a page not found.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Emil,
if you're looking for information as to what permissions are required for an FSSO service account, you can check here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restricting-FSSO-service-account/ta-p/1980...
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- please clarify some concepts for performance... 53 Views
- How to overpass outdated Windows certificate... 140 Views
- how to correctly use prefer passive... 156 Views
- Where to start with ZTNA? 140 Views
- Active Directory users on IPsec VPNs... 288 Views
Labels
-
FortiGate
8,428 -
FortiClient
1,701 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
542 -
FortiSwitch
456 -
FortiAP
456 -
6.0
416 -
FortiClient EMS
404 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
211 -
FortiWeb
198 -
5.0
196 -
IPsec
183 -
FortiNAC
175 -
FortiGuard
134 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
BGP
38 -
DNS
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1645 | |
| 1070 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.