Polling mode ; Collector agent or agentless

***********DC agent mode***********

Recommended
it needs a DC agent installed in each Domain controller and a Collector Agent

1- A user try to log into the Domain Controller the DC agente capture this log
information.
2- The collector agent receive this information in udp 8002 (it could receive the
name of the machine so it has to resolve it)
3- The fortigate receive the information in tcp 8000

*************Collector Agent Mode**********

Its easier to install compared to DC agent mode.

-It uses SMB tcp 445 protocol to request the events logs, tcp 135, 139 and udp 137
as fallbacks.
-The events logs must be enable on the domains controllers (except when using
NetAPI)
-The DC is not gonna give the IP just the name of the workstations so the collector
need to resolve it with a valid DNS.

Collector agent-based polling mode options

-NetAPI use the RAM to authenticate the sessions through NetSessionEnum. Is the
faster method but if there is a lot of traffic
it cant miss some logon events. (It doesnt use the logs)

-WinSecLogs It doesnt miss any logon events, it uses the events logs to get that
information is the slower method. It have
delays

-WMI just read the select log events and is a improvement of WinSecLogs

******Agentless Polling Mode***********

The only option for polling is WinSecLog with the events ID 4768 y 4769
It cant connect directly to workstations.

*******NLTM***********
It can be use just in windows infrastructure.

NLTM is used for fallback of FSSO, the fortigate cant undertand NLTM so it needs a
Collector agent

If there are multiply domain u can do 2 things:

1-if the domains are in the same AD forest then u just need one DC agent'
2-If domain are in different AD forest then u need a DC agent per domain.

***********FSSO configuration**********

Agentless Polling mode use Poll Active Directory Server

The collector based polling or the dc agent mode yse Fortinet Single sing-on

If the fsso has the user group source set to collector agent then it can use bot
mode of colector agent standard and avanced.
if is set to local then it need to be set to advanced.

Set Directory Access Information

Standard : Domain\username ; the security profiles just cant be aplied
to groups
Advanced : CN=User, OU=name, DC=Domain ; U can apply security profiles to the
users, u can configure the group filter in the
Fortigate too but is not recommended tho

*****************Troubleshooting************
U need to have the logs in NOTFICATION or INFORMATION

1-Ensure that u have all the ports that u need open (139, 445, 389, 445, 636)
2-Guarantee at minimum of 64kbps between fortigate and domain controllers
3-Configure the timeout timer to flush inactive sessions
4-Ensure DNS is working properly
5-Never set the timer workstation verify interval to 0.
6-Include al FSSO groups that are not filtered out in the firewall policy when usig
passive authentication.

********Commands**********
diagnose debug authd fsso list ; to see the list of FSSO active sessions

exec fsso refresh ; it refresh the list

#diagnose debug enable

#diagnose debug authd fsso server-status ; check connectivity between the collector
agent and Fortigate. look at it

diagnose debug fsso-polling detail; show information about the polling that
fortigate is doing in agentless mode. (read log offset)
diagnose debug application fssod -1; its to enable the agentless polling mode in
real time