Fortinet black logo

FortiOS with built-in FSSO polling

6.0.0
Copy Link
Copy Doc ID ecb26153-031d-11e9-b86b-00505692583a:88840
Download PDF

FortiOS with built-in FSSO polling

FortiOS with a built-in FSSO CA is suited for a small AD environment. In this scenario, the FortiGate acts as the FSSO CA and queries AD domain controllers for login events. The number of supported domain controllers depends on the FortiGate model used.

The advantage of this scenario is that configuration is simple, since there is no need to install an FSSO CA on a third party host. The downside of this scenario is that there is a limited number of monitored DCs and no user logout monitor.

This scenario is ideal for a small AD environment, where the monitored DCs are physically close to the FortiGate and latency is low. This scenario is not ideal for a large environment where the FortiGate needs to spend significant resources to query a large list of DCs and/or poll a large LDAP tree.

In a scenario with multiple sites, where each FortiGate only monitors events from local server(s), each polling server must be configured with an ID unique across all sites. When FortiManager retrieves the configuration from each FortiGate, the ID should not be overwritten.

FortiOS with built-in FSSO polling

FortiOS with a built-in FSSO CA is suited for a small AD environment. In this scenario, the FortiGate acts as the FSSO CA and queries AD domain controllers for login events. The number of supported domain controllers depends on the FortiGate model used.

The advantage of this scenario is that configuration is simple, since there is no need to install an FSSO CA on a third party host. The downside of this scenario is that there is a limited number of monitored DCs and no user logout monitor.

This scenario is ideal for a small AD environment, where the monitored DCs are physically close to the FortiGate and latency is low. This scenario is not ideal for a large environment where the FortiGate needs to spend significant resources to query a large list of DCs and/or poll a large LDAP tree.

In a scenario with multiple sites, where each FortiGate only monitors events from local server(s), each polling server must be configured with an ID unique across all sites. When FortiManager retrieves the configuration from each FortiGate, the ID should not be overwritten.