Two sites are connected to internet with Fortigate 100E. There is a vpn connection between them and the computer belongs to the same windows domain. There is a domain controller on site A and one on site B and both have FSSO Agent installed. On site A domain controller there are lots of error event related to Collector Agent checks on site B computers . Instead of investigating the specific problem I'm wondering if I have a configuration issue. According to me collector agent on site A should check only computers on site A, not those in site B which are visible through vpn. I think that if I have 10 sites with lots of computers every agent should check only the computers in its lan, not all the remote ones. Are there some guidelines for the correct configuration in scenarios like this one ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
not a mistake if clear what the environment is doing and of course what FSSO is doing.
FSSO works as:
- user logs on to Windows (domain joined)
- DC receives a logon event from this PC (which one: check CLI on the client echo %LOGONSERVER%)
- Collector Agent either polls the DC(s) or receives the users via DCAgent, if installed and configured to sent to the Collector
- Collector resolves the machine workstation of the client for the IP, looks up user group membership to satisfy the configured group filter.
- If filter is satisfied, the FortiGate will receive the event with IP+user+group.
- Additionally, Collector will check against its collected users/IPs whether these are still online (that is the check you noticed) and whether the IP of the workstation has changed (IP change interval, to verify run nslookup on the Collector host for the workstation).
Here you can of course influence a few factors. Only the hosts listed in the logon user list on the collector will be contacted. If the collector fails to connect, the user will be listed as "not verified". The dead entry timer on the GUI will start for this user and once elapsed, the user will be removed.
If you have users from other sites, the collector has received them via DCAgent or polling some of the DCs. Fix this, if required.
Best regards,
Markus
Hi,
the Collector Agent will do a remote registry check for checking if the user is still logged in. That will be done against all users on the logon user list (that is where it gets the IPs from).
Generally not a problem, but if you are concerned about bandwidth usage, disable these checks with the GUI setting for workstation verification.
You can have a look at the "Workstation verify interval" on the GUI, lower left.
Best regards,
Markus
I checked the collector agent configuration on the 2 sites. On site A it was monitoring local domain controller and the remote one too via installed agent. On the firewalls there are rules involving windows users and groups, but they don't apply to traffic from subnets on other sites through vpn. I think every firewall needs to know only the users logged on its site, not the others, so it is useless for the collector agent to monitor what is happening on the domain controllers on other sites. I'm going to reconfigure the collector agent to monitor only local DC, is it a mistake ?
Hi,
not a mistake if clear what the environment is doing and of course what FSSO is doing.
FSSO works as:
- user logs on to Windows (domain joined)
- DC receives a logon event from this PC (which one: check CLI on the client echo %LOGONSERVER%)
- Collector Agent either polls the DC(s) or receives the users via DCAgent, if installed and configured to sent to the Collector
- Collector resolves the machine workstation of the client for the IP, looks up user group membership to satisfy the configured group filter.
- If filter is satisfied, the FortiGate will receive the event with IP+user+group.
- Additionally, Collector will check against its collected users/IPs whether these are still online (that is the check you noticed) and whether the IP of the workstation has changed (IP change interval, to verify run nslookup on the Collector host for the workstation).
Here you can of course influence a few factors. Only the hosts listed in the logon user list on the collector will be contacted. If the collector fails to connect, the user will be listed as "not verified". The dead entry timer on the GUI will start for this user and once elapsed, the user will be removed.
If you have users from other sites, the collector has received them via DCAgent or polling some of the DCs. Fix this, if required.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.