Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jond
New Contributor III

Active Directory Fabric Connector & timers

Hi there,

 

We're using the Active Directory Fabric connector.

 

Is there an equivalent to the various FSSO timers:

 

Dead entry timeout interval

Workstation verify interval 

 

 

I've tried various searches and I'm imagining that it's in the CLI somewhere?

 

Cheers

Jon

2 REPLIES 2
Jond
New Contributor III

Eventually solved using a ticket

 

Solution Provided:

config user fsso-polling

edit 1

set logon-history <int> (0-48)

next

end

 

- The default setting is for 8 hours.

- It can be set up to 48 hours.

- It can also be configured as 0 which results in no timeout at all.

Solution Provided:

 

xsilver_FTNT

Hi,

that's basically dead entry timer .. as the option 'logon-history' does apply to FSSO connector where FortiGate is the Collector Agent and does direct polling of WinSec records from AD. In CLI 'config user fsso-polling'.

There is no workstation check done by FortiGate, AFAIK.

 

However you do have a second option in FSSO Connectors to connect to outer Collector Agent. Which could be FortiAuthenticator, or standalone Collector with mentioned dead entry timeout and other options.

I would prefer this one over direct polling, exactly for those options, polling WMI, workstation checks, ability to specify Event IDs to process, ability to combine multiple other sources like RADIUS Accounting into FSSO, scalability and stability. Also for performance as those SSO info will be processed at source, in collector, and just results sent to FortiGate. In contrary to direct polling where precious CPU/RAM of the firewall itself is used to process those logons and with huge logon event numbers the fssod/authd combo processing those events might get overloaded and so CPU on FortiGate spikes.

That second connector to outer Collector Agent is in CLI as 'config user fsso'.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Labels
Top Kudoed Authors