FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tlegentil_FTNT
Article Id 189814

Description

 

This article explains how to disable the DNS resolution of the FSSO DCAgent.

 

Scope
 
Any supported version of FortiGate. This only applies to the FSSO DCAgent method.


Solution

 
When the user logs in, the DCAgent intercepts the logon event on the Domain Controller. It then resolves the DNS of the client and sends it to the Collector Agent. The Collector Agent receives it and performs a DNS resolution to check if the IP of the user has changed.

In some configurations, the double DNS resolution causes problems.
Usually, the log DCAgentLog.txt displays that there are too many requests in the queue and discards the logon event with information such as the following:
 
domain:XXX, workstation:XXX, user:XXX, request in queue:100001
 
To prevent resolving the DNS, configure a registry key on the Domain Controller that hosts the DCAgent:
 
donot_resolve = (DWORD) 1 at HKLM/Software/Fortinet/FSAE/dcagent

After changing the value, reboot the domain controller. This step is necessary.

The logs before changing the value looked similar to the following:
 
<date> <time>    [RECV_EVENT_FROM_DC]    packet_len:58 dcagent_ip:172.16.8.123 time:1447165567 data_len:41 data:PC.example.com/EX_DC/user ip:172.16.1.10:172.16.2.10

After, they will look more like this:
 
<date> <time>    [RECV_EVENT_FROM_DC]    packet_len:58 dcagent_ip:172.16.8.123 time:1447165567 data_len:41 data:PC.example.com/EX_DC/user ip:0.0.0.0