Академический Документы
Профессиональный Документы
Культура Документы
FSSO
FSSO Components
Windows domain
controller without
agent (polling)
FortiGate
TCP 445
TCP 8000
TCP 445
Windows server with
collector agent (CA)
UDP 8002
Windows domain
controller with DC agent
UDP 8002
Terminal or Citrix
server with TS agent
FSSO Modes
DC agent:
o
Polling:
o
NetAPI
Polls NetSessionEnum API every 9 seconds o WinSecLog:
Polls all security event logs every 10 seconds
Polls can be done directly from the FortiGate (agentless polling) o WMI:
Polls specific security event logs every 3 seconds
LDAP or API
directory
access
no User group
in cache?
yes
User group no
monitored?
no
Ignore
user?
yes
Discard logon
yes
Send logon to
FortiGate
Workstation Check
Logon
detected
CA polls known
workstations
basedon the verify interval
If workstation is not
responding, it
goes to not
verified status
Additional Requirements
TCP ports 139 and 445 must be open between CA and all
workstations
Remote registry service must be up and running on each
workstation:
o
FSSO Troubleshooting
Check
FortiGate:
o
CA to DC Connectivity
10
DC Logon Events
Use Windows event viewer:
o
Search event IDs 4768, 672, 680 and 4776 with audit success
11
Common Problems
CA does not have the logon information o
Verify that the CA is monitoring all DCs
o
12
Common Problems
User is listed as active in the FortiGate but cannot browse
the Internet:
o
o
Check that the CA service is not crashing o Check for crashes in any of
13
Logon Override
The CA ignores logon events from anonymous accounts and
accounts whose name starts with $
However, some applications generate logon events with different
system accounts, overriding the user logon event: o Microsoft MOM
o
RDP
Solution:
o
14
The
Workaround:
o
Set workstation
Solution:
o