FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194621


This article describes the two modes of retrieving user information from domain controllers for FSSO that are available on the FSSO collector agent.

When configuring FSSO as agentless, in that case the FortiGate provides polling from the domain controllers (shown in FortiGate GUI under External Connectors as 'Active Directory Connector').
DC-Agent mode is available only from the Collector Agent or FortiAuthenticator.


DC-Agent mode.

In DC Agent mode, a Fortinet authentication agent is installed on each domain controller.
These DC agents monitor user logon events and send the information to the collector agent, which stores the information and sends it to the FortiGate.

The DC Agent installed on the domain controllers is not a service like the Collector agent — it is a DLL file called 'dcagent.dll' and is installed in the Windows\system32 directory. 
This enables the DC-Agent to directly read authentication events from the Local Security Authority Subsystem Service (LSASS).

DC Agent mode provides reliable user logon information, however install a DC agent on every domain controller is necessary.
A reboot is needed after the agent is installed. Each installation requires some maintenance as well. For these reasons it may not be possible to use the DC Agent mode.

Each domain controller connection needs a minimum guaranteed 64 kbps bandwidth to ensure proper FSSO functionality.
Configure traffic shapers on the FortiGate to ensure this minimum bandwidth is guaranteed for the domain controller connections.

Polling Mode.

Having a DC-Agent installed on every domain controller can ensure the maximum accuracy for detecting user logon.
However, some users do not want to have third party software installed on their domain controllers.

In polling mode there are three options: NetAPI polling, Event log polling, and Event log using WMI.
All share the advantages of being transparent and agentless.
However, when using local polling from the FortiGate directly, there is no such option, only Event Log Polling is used.

1) NetAPI polling is used to retrieve server logon sessions.
This includes the logon event information for the Controller agent.
NetAPI runs faster than Event log polling but it misses some user logon events under heavy system load.
It requires a query round trip time of less than 10 seconds.

2) Event log polling may run a bit slower, but will not miss events, even when the installation site has many users that require authentication.
It does not have the 10 second limit on NetAPI polling.
Event log polling requires fast network links. Event log polling is required if there are Mac OS users logging into Windows AD.

The FortiGate integrated poller can use only this polling method (shown in FortiGate GUI under External Connectors as 'Active Directory Connector').
Other event polling methods are exclusive to FortiAuthenticator or FSSO Collector Agent.

3) Event log using WMI polling: WMI is a Windows API to get system information from a Windows server, CA is a WMI client and sends WMI queries for user logon events to DC, which in this case is a WMI server. Main advantage in this mode is that CA does not need to search security event logs on DC for user logon events, instead, DC returns all requested logon events via WMI. This also reduces network load between CA and DC.

In polling mode, the Collector Agent polls port 445 of each domain controller for user logon information every few seconds and forwards it to the FortiGate .
There are no DC Agents installed, so the Collector agent polls the domain controllers directly.

Related KB article:

Technical Tip: Windows event IDs used by FSSO in WinSec polling mode