not a mistake if clear what the environment is doing and of course what FSSO is doing.
FSSO works as:
- user logs on to Windows (domain joined)
- DC receives a logon event from this PC (which one: check CLI on the client echo %LOGONSERVER%)
- Collector Agent either polls the DC(s) or receives the users via DCAgent, if installed and configured to sent to the Collector
- Collector resolves the machine workstation of the client for the IP, looks up user group membership to satisfy the configured group filter.
- If filter is satisfied, the FortiGate will receive the event with IP+user+group.
- Additionally, Collector will check against its collected users/IPs whether these are still online (that is the check you noticed) and whether the IP of the workstation has changed (IP change interval, to verify run nslookup on the Collector host for the workstation).
Here you can of course influence a few factors. Only the hosts listed in the logon user list on the collector will be contacted. If the collector fails to connect, the user will be listed as "not verified". The dead entry timer on the GUI will start for this user and once elapsed, the user will be removed.
If you have users from other sites, the collector has received them via DCAgent or polling some of the DCs. Fix this, if required.