Re: When FSSO is disconnected
Not sure I understand your topology, but ..
- if Collector Agent (and so AD probably) is behind VPN, let's say we talk about user list on FGT which is on branch office, and Collector is behind IPSec VPN to HQ where is AD, LDAP, Collector
- then is this VPN goes down, the Collector in HQ become unreachable, FSSO user list is pending update
- then this FSSO user list will be kept for those 5 minute from time when branch FGT detected that socket and connection to Collector in HQ is down
- after those 5 minutes all the FSSO users known from this, at the moment, unreachable Collector will be removed with all consequences to sessions
Not sure how Sofos or other vendors do this or if they keep users as pseudo-authenticated forever. I don't know.
FortiGate has this graceful 5 minutes period and then those users are seen as unauthenticated, as their identity cannot be verified over FSSO anymore.
If this is case and your VPN flaps often and is down for more then 5 minutes, then I'd suggest to have some authentication fallback method.