Hot!Active Directory Fabric Connector & timers

Author
Jond
Bronze Member
  • Total Posts : 23
  • Scores: 2
  • Reward points: 0
  • Joined: 2011/11/14 05:38:48
  • Status: offline
2020/08/17 07:21:26 (permalink)
0

Active Directory Fabric Connector & timers

Hi there,
 
We're using the Active Directory Fabric connector.
 
Is there an equivalent to the various FSSO timers:
 
Dead entry timeout interval
Workstation verify interval 
 
 
I've tried various searches and I'm imagining that it's in the CLI somewhere?
 
Cheers

Jon
#1

2 Replies Related Threads

    Jond
    Bronze Member
    • Total Posts : 23
    • Scores: 2
    • Reward points: 0
    • Joined: 2011/11/14 05:38:48
    • Status: offline
    Re: Active Directory Fabric Connector & timers 2020/08/21 03:11:06 (permalink)
    5 (1)
    Eventually solved using a ticket
     
    Solution Provided:
    config user fsso-polling
    edit 1
    set logon-history <int> (0-48)
    next
    end
     
    - The default setting is for 8 hours.
    - It can be set up to 48 hours.
    - It can also be configured as 0 which results in no timeout at all.
    Solution Provided:
     
    #2
    xsilver_FTNT
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Active Directory Fabric Connector & timers 2020/09/11 01:36:29 (permalink)
    0
    Hi,
    that's basically dead entry timer .. as the option 'logon-history' does apply to FSSO connector where FortiGate is the Collector Agent and does direct polling of WinSec records from AD. In CLI 'config user fsso-polling'.
    There is no workstation check done by FortiGate, AFAIK.
     
    However you do have a second option in FSSO Connectors to connect to outer Collector Agent. Which could be FortiAuthenticator, or standalone Collector with mentioned dead entry timeout and other options.
    I would prefer this one over direct polling, exactly for those options, polling WMI, workstation checks, ability to specify Event IDs to process, ability to combine multiple other sources like RADIUS Accounting into FSSO, scalability and stability. Also for performance as those SSO info will be processed at source, in collector, and just results sent to FortiGate. In contrary to direct polling where precious CPU/RAM of the firewall itself is used to process those logons and with huge logon event numbers the fssod/authd combo processing those events might get overloaded and so CPU on FortiGate spikes.
    That second connector to outer Collector Agent is in CLI as 'config user fsso'.

    Kind Regards,
    Tomas
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5