Hot!FSSO Collector Agent best practice

Marcos de Oliveira
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/06 05:19:52
  • Status: offline
2019/02/22 06:26:58 (permalink)

FSSO Collector Agent best practice

We recently acquired a pair of FG3000D and the technician that helped us in the implementation told us to install the FSSO Collector Agent in every DC.
We even discussed about installing CA in just two DCs and install DC Agent in the other 6, but he told us that it would make no difference in the DC performance. He told us that installing CA in every DC was best practice. But as FG 3000D can connect to at most 5 CA, I was thinking about uninstalling it from 6 DCs and installing DC Agent on them and keep CA in two DCs, because it would be better to configure, as CA can synchronize only filters and for the other configuration I need to connect to every one of the 8 DCs if I need to modify something.
I found out that having CA in every DC makes everyone of them swap message, like in a full mesh.
So my question is: is it really best practice to install CA in every DC, does it make any difference?
How do I need to proceed with the removal of CA and installation of DC Agent? Do I need to reboot the DC two times? Like remove CA -> Reboot and then Install DC Agent -> Reboot? Or can I Remove CA, Install DC Agent and only then reboot?
Expert Member
  • Total Posts : 449
  • Scores: 103
  • Reward points: 0
  • Joined: 2015/02/02 03:22:58
  • Location: EMEA
  • Status: offline
Re: FSSO Collector Agent best practice 2019/02/22 13:25:29 (permalink)
well, actual design depend on your network layout.
But if you do have 6 DCs in same location (close to each other from network point of view (RTT)), then I would go for 2 Collector Agents (CA) and  .. either do polling WinSec+WMI towards all DCs or install DCAgents to all of them.
Single FGT config of FSSO Agent will connect and communicate with one CA only regardless it might have more CAs inside config. Here it sometimes make sense to have more FSSO Agents in FGT, for example splitting per location or each group handling different domain and respective DCs.
Reboot .. well it depends if you already installed DCAgent alongside with CA to DC. Then it will be two reboots.

Kind Regards,
Jump to:
© 2019 APG vNext Commercial Version 5.5