Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marcos_de_Oliveira
New Contributor

FSSO with forwarded event logs

Hi,

 

We are trying an FG1500D and I would like to know if it's possible to do FSSO with the agent installed in a non-DC machine with subscription to forwarded AD's security event logs. The difference is that in the DC, the agent would read the "security" events and in this case, it should read the "forwarded" events. It would improve implementation also, as we have 8 DC's. With event log forwarding, we could centralize the security events in a machine and install the agent only there, and not in every DC. We also have policy of not installing third party software in Domain Controllers. 

FG3000D

FG3000D
1 REPLY 1
Fishbone_FTNT

Hi marcossantos,

FSSO Collector Agent doesn't work like you think. FSSO CA can poll all your 8 DCs itself, you don't have to forward their events anywhere.  FSSO CA fetches them all.

Just FSSO CA needs to run on Domain member server, preferably with Domain Administrator privileges. Why? It needs to: * open event log over RPC or over WMI 

* enumerate users groups (windows groups or LDAP)

* perform workstation check (active check on user's workstation), WMI or RRA

 

It's good idea(tm) to follow most typical usage, as described above.

 

NOT RECOMMENDED, BUT DOABLE:

In case you are in very special situation and really MUST NOT run it on Windows Domain server, you need to really tweak it:

- install DCAgents on DCs : they will forward logons from LSASS (Dcagent is LSASS-loaded dll)

- install and run FSSO CA on non-domain server as local admin user

- disable workstation checks by setting 0 to both 'Dead Entry Timeout' and 'Workstation Verify interval'

- set FSSO CA to Advanced Mode and fill in LDAP credentials

- you will need to edit registry to add monitored domain (domain won't be detected automatically) 

 

In this mode, FSSO won't check actively on workstations user status, but it will work otherwise. If you decide to go this hard way, let me know I will post here more detailed description. Again, I don't recommend to step out this way.

 

Fishbone )(

 

smithproxy hacker - www.smithproxy.org

Labels
Top Kudoed Authors