Description
This article illustrates how and why to use the FSSO Collector Agent ‘Ignore User List’ option.
Solution
In principle, FSSO Collector Agents capture all (user) account logins generated on monitored Domain Controllers, whether in polling mode or DC Agent mode. This includes service accounts and admin accounts as well.
In addition, FSSO only accounts for one user per IP (except for terminal servers and the specific Terminal Server Agent), and the Collector Agent will overwrite an existing login on an IP if another login event on the same IP is observed.
This means, for FSSO to work as expected, it is necessary to exclude certain accounts to prevent login information from being overwritten. Generally, service accounts and some admin accounts need to be excluded to prevent them from overwriting valid user logins when a login event is triggered by a service account or admin. FSSO Collector Agent provides the ‘Ignore User List’ option for this purpose.
To configure the Ignore User List:
1) From the Start menu, select Programs -> Fortinet -> Fortinet Single Sign On Agent and configure Fortinet Single Sign On Agent.
2) In the Common Tasks section, select 'Set Ignore User List'. The current list of ignored users is displayed:
3) The current list can now be updated:
- To remove a user from the list: select the username and then select Remove. The user’s login is no longer ignored.
- To add users to be ignored: Enter the username in the appropriate format (AD or LDAP syntax), then select 'Add' or 'Add Users'.
An 'Add Ignore Users' window is displayed; checkmark the users that are not to be monitored (so will be actively ignored by FSSO Collector Agent), then select 'Add'.
- To remove a user from the list: select the username and then select Remove. The user’s login is no longer ignored.
- To add users to be ignored: Enter the username in the appropriate format (AD or LDAP syntax), then select 'Add' or 'Add Users'.
An 'Add Ignore Users' window is displayed; checkmark the users that are not to be monitored (so will be actively ignored by FSSO Collector Agent), then select 'Add'.
- Also it is possible to add the user with a wild card Ignore list either with * or ? as shown in the below image. It is possible to use * in case of having a variable name at the end as shown in image 1 and use ? if the variable name is in the beginning as shown in image 2. Note that number of ? will be the number of variable characters.
Image 1.
Image 2.
Alternatively, select 'Add by OU'; an 'Add Ignore Users by OU' window is displayed, select an OU from the directory tree, then select 'Add'. All users under the selected OU will be added to the Ignore User List.
4) Select OK. The FSSO Collector Agent might restart; currently, logged-on user information will be maintained through the process.
Additional Considerations:
FSSO Collector Agent also provides a group filter option. This has no bearing on what login events are collected and added to the logon user list; group filters only apply to what user login information is actually forwarded to any connected FortiGate.
This, in turn, means if a user account is overwritten by one that does not match the group filter, Collector Agent sends the logoff information to FortiGate, but no new login information and the IP is in effect considered unauthenticated on FortiGate.
4) Select OK. The FSSO Collector Agent might restart; currently, logged-on user information will be maintained through the process.
Additional Considerations:
FSSO Collector Agent also provides a group filter option. This has no bearing on what login events are collected and added to the logon user list; group filters only apply to what user login information is actually forwarded to any connected FortiGate.
This, in turn, means if a user account is overwritten by one that does not match the group filter, Collector Agent sends the logoff information to FortiGate, but no new login information and the IP is in effect considered unauthenticated on FortiGate.
The ‘Ignore User List’ should be used to prevent user logins from being overwritten with other logins that could cause this exact behavior.
