Re: Active Directory Fabric Connector & timers
that's basically dead entry timer .. as the option 'logon-history' does apply to FSSO connector where FortiGate is the Collector Agent and does direct polling of WinSec records from AD. In CLI 'config user fsso-polling'.
There is no workstation check done by FortiGate, AFAIK.
However you do have a second option in FSSO Connectors to connect to outer Collector Agent. Which could be FortiAuthenticator, or standalone Collector with mentioned dead entry timeout and other options.
I would prefer this one over direct polling, exactly for those options, polling WMI, workstation checks, ability to specify Event IDs to process, ability to combine multiple other sources like RADIUS Accounting into FSSO, scalability and stability. Also for performance as those SSO info will be processed at source, in collector, and just results sent to FortiGate. In contrary to direct polling where precious CPU/RAM of the firewall itself is used to process those logons and with huge logon event numbers the fssod/authd combo processing those events might get overloaded and so CPU on FortiGate spikes.
That second connector to outer Collector Agent is in CLI as 'config user fsso'.