Hot!FSSO agent ip exclusion

Author
dieter
Bronze Member
  • Total Posts : 21
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/01/04 06:04:13
  • Status: offline
2018/08/27 01:53:57 (permalink)
0

FSSO agent ip exclusion

Is there a way to exclude certain IP addresses from collecting authenticated users ?
#1

7 Replies Related Threads

    xsilver_FTNT
    Expert Member
    • Total Posts : 381
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FSSO agent ip exclusion 2018/08/27 23:39:00 (permalink)
    0
    Hi,
     
    dieter
    Is there a way to exclude certain IP addresses from collecting authenticated users ?

     
    yes
    If your Collector is getting updates from some sources and you do not want those sources to collect authenticated users, then options are:
     
    1. if in DCAgent mode simply uninstall agent from those DCs when you do not want auth info from
    2. if in polling mode then remove DC from polled controllers
    3. list of polled DCs is in "dc_list"="" key
    4. list of connected/known DCAgents is on the end of exported config from Collector
    5. you can ignore updates from certain DC via "dc_agent_ignore_ip_list"="" key
    6. all the keys are in [HKEY_LOCAL_MACHINE\software\fortinet\fsae] sub-tree .. 

    Kind Regards,
    Tomas
    #2
    dieter
    Bronze Member
    • Total Posts : 21
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/04 06:04:13
    • Status: offline
    Re: FSSO agent ip exclusion 2018/08/28 00:00:43 (permalink)
    0
    dc_agent_ignore_ip_list seems to be an undocumented feature. But it seems to work.
     
    Thank you
    #3
    dieter
    Bronze Member
    • Total Posts : 21
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/04 06:04:13
    • Status: offline
    Re: FSSO agent ip exclusion 2018/08/28 04:28:03 (permalink)
    0
    Curious: In the Firewall User monitor I don't see users associated to the excluded IP addresses.
    In Forward traffic log however, some traffic from those IP's have a user associated...
     
    In User even log, I see FSSO logon/logoff events on the excluded IP's. Log off event for most users us about 3 seconds after logon event. Probably enough to have some traffic related to a user...
     
    On 5.6.2 by the way.
    #4
    Ackron
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: FSSO agent ip exclusion 2018/10/24 07:53:44 (permalink)
    0
    Hello all,
     
     I was wondering this myself, In our case we have multiple users being associated from the Wireless Lan Controller IP
    As this is Wifi Logon they before they have an IP they get associated with the WLC IP. so we wanted to exclude the WLC IP from ever being associated to any user.
     
    Kind regards,
    Peter
    #5
    xsilver_FTNT
    Expert Member
    • Total Posts : 381
    • Scores: 63
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: FSSO agent ip exclusion 2018/10/24 08:16:16 (permalink)
    0
    Hi Peter,
    point 5. from my original post .. "dc_agent_ignore_ip_list"="" is the answer.
     

    Kind Regards,
    Tomas
    #6
    dfernturtle
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/13 12:20:28
    • Status: offline
    Re: FSSO agent ip exclusion 2019/02/13 12:23:05 (permalink)
    0
    Any documentation available on how to create this dc_agent_ignore_ip_list key if I have multiple IPs?
    #7
    dieter
    Bronze Member
    • Total Posts : 21
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/01/04 06:04:13
    • Status: offline
    Re: FSSO agent ip exclusion 2019/02/14 00:00:14 (permalink)
    5 (1)
    Separated by semicolons seems to work.
    Not documented afaik.
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5