Hi,

if you think about polling then I'd suggest to do WinSec .. which is default on FAC, one of the options on standalone Collector Agent.

Collector Agent (CA hereinafter) is FSSO component collecting data from pollers or agents (DCAgent/TSAgent/SSOMA), and similar CA exist in standalone FSSO deployment or in FGT or FAC which both are also capable to do certain sorts of FSSO.

If you have thoughts and feelings, then get some proof, compare logons in AD with those processed in CA.

Switch FAC's SSO/General/Log level to debug and observe http://FAC-IP/debug/ and choose FSSO Agent there.

Use Monitor to check logged on users.

In general I would recommend to use agent mode. Especially for larger and geographically spread deployments.

But polling might be pretty suitable and working for small/mid sized deployments. Size is determined by network distances between components and amount of logon events processed.

FSSO CA process just certain logon events, not all MSFT logons do contain useful info (from FSSO stand point).

Check KB.Fortinet.com for list of processed events per catching method, they differ slightly for polling and agents. Which surprisingly makes polling slightly better suitable for mixed environments where different domain connectors like those for MAC OS coexist aside to standard all MSFT workstations.

Best regards,

Tomas