Professional Documents
Culture Documents
Recommended
it needs a DC agent installed in each Domain controller and a Collector Agent
1- A user try to log into the Domain Controller the DC agente capture this log
information.
2- The collector agent receive this information in udp 8002 (it could receive the
name of the machine so it has to resolve it)
3- The fortigate receive the information in tcp 8000
-It uses SMB tcp 445 protocol to request the events logs, tcp 135, 139 and udp 137
as fallbacks.
-The events logs must be enable on the domains controllers (except when using
NetAPI)
-The DC is not gonna give the IP just the name of the workstations so the collector
need to resolve it with a valid DNS.
-NetAPI use the RAM to authenticate the sessions through NetSessionEnum. Is the
faster method but if there is a lot of traffic
it cant miss some logon events. (It doesnt use the logs)
-WinSecLogs It doesnt miss any logon events, it uses the events logs to get that
information is the slower method. It have
delays
-WMI just read the select log events and is a improvement of WinSecLogs
*******NLTM***********
It can be use just in windows infrastructure.
NLTM is used for fallback of FSSO, the fortigate cant undertand NLTM so it needs a
Collector agent
***********FSSO configuration**********
If the fsso has the user group source set to collector agent then it can use bot
mode of colector agent standard and avanced.
if is set to local then it need to be set to advanced.
*****************Troubleshooting************
U need to have the logs in NOTFICATION or INFORMATION
1-Ensure that u have all the ports that u need open (139, 445, 389, 445, 636)
2-Guarantee at minimum of 64kbps between fortigate and domain controllers
3-Configure the timeout timer to flush inactive sessions
4-Ensure DNS is working properly
5-Never set the timer workstation verify interval to 0.
6-Include al FSSO groups that are not filtered out in the firewall policy when usig
passive authentication.
********Commands**********
diagnose debug authd fsso list ; to see the list of FSSO active sessions
diagnose debug fsso-polling detail; show information about the polling that
fortigate is doing in agentless mode. (read log offset)
diagnose debug application fssod -1; its to enable the agentless polling mode in
real time