Re: Poll Active Directory server
☄ Helpfulby Bilel 2021/09/02 06:14:11
unfortunately the pictures were not attached well.
However, for example my lab FortiOS 6.4.5 shows two possibilities in Security Fabric / External Connectors / New External Connector / "Endpoint/Identity" section.
1. FSSO Agent on Windows AD
2. Poll Active Directory Server
Those two are directly related to FSSO.
First "FSSO Agent on Windows AD" will point FGT to external, standalone, Collector Agent. Which can be installed on DC, or on any domain member Windows server class machine. And which, besides other modes, can poll Windows Security log, or query WMI for Windows Security events and specifically for those user logon related ones. That second method referred in Collector Agent as WinSec-WMI is what I would recommend to use. As it will gather just logon events directly via WMI, and relief Collector from extra burden when pure WinSec log is sequentially read and then parsed for just few suitable logon events while majority of collected data are "garbage" for FSSO purpose.
Second, "Poll Active Directory Server" will make FGT to do similar job as Collector does. Polling DCs for logon events. But it is less favorite method for me as it lacks versatility of standalone Collector Agent and brings extra load on FGT side.
If you can not keep WinSec logs, and WMI will not be enough to keep up speed in which your system destroys the evidence, then there is supposed to be MSFT way to duplicate logs to external WinSec log collector. But I never configured it, just hit that as some customers has standalone Collector Agent set to read WinSec logs not from all the DCs but from that single MSFT collector only. But I have little details on how it's made on MSFT side.
Alternatively, in standalone Collector Agent, or directly on FGT side in External Connectors, there is "RADIUS Single Sign-On Agent" .. sometimes referred simply as RSSO. Which is method where collector (no matter if standalone Collector or FGT in that role) learns logons events from provided RADIUS Accounting Start/Stop/Update messages. So for example if your users are authenticated via NPS, for example to WiFi, then NPS or wireless controller (WLC), should be able to send Accounting Requests to collector (again, standalone Collector Agent, or FGT in that role, or even FortiAuthenticator, which is probably not your case and I noted FortiAuthenticator just to complete listing of possible recipients).
Tom xSilver, planet Earth, over and out!