FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jonathan_Body_FTNT
Article Id 191630

Description
This article explains what FSAE checks for on the Domain Controller and what the polling rate is.
Scope
FortiOS 4.0
FSAE build 58
Solution

Having an FSAE agent installed on every domain controller can ensure the maximum accuracy for detecting user logon.  However, some users don't want to have third party software installed on their domain controllers.

Unlike other user authentication services (For example: Novell eDirectory), Windows Active Directory does not keep user logon session information in its database.  This means that a normal LDAP query to Windows AD asking "list all the currently logged on users" will not work.

Instead when a user logs on to the domain, a temporary session is created on the domain controller which is not kept for more than 15 seconds.

How it works

Domain Controller polling looks for such sessions and polls the Domain Controller frequently in order to get user logon information indirectly.

Advantages

  • No domain controller agents are required
  • User login information is learned and passed along to the FortiGate (unlike the NTLM approach to FSAE)

Limitation

The controller agent must be able to complete polling of all polled devices within 10 seconds.  For this reason, using polling mode may not work for larger deployments or deployments which are geographically diverse.

 

Contributors