FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 196270

Description

This article describes how to exclude certain IP addresses from being registered in the Fortinet Single Sign-On process.


Scope
For agent based FSSO.

Solution

It can sometimes be necessary to exclude IPs from the FSSO process for various reasons. 
 
Some scenarios in which this may be useful:
- servers for which logins should be ignored (member servers, DCs, Exchange servers)
- VPN IPs (to avoid FSSO interfering with existing VPN authentication)
- TS Agent (regular logon events collected over DC-Agent or polling can overwrite TS-Agent login)
 
The excluded IP addresses and the users logged on them will not appear in the logon user list in the Collector Agent or on the FortiGate in the Firewall User List as FSSO logons.
Logons from an excluded IP address could only appear if a TS Agent is installed on a server with that IP address.
 
Note: TS Agent logins being overwritten is only in versions lower than v5.0.288. From this Collector Agent version onward, TS Agent logins always take priority over DC Agent logins from the same IP; DC Agent logins will not be forwarded to FortiGate if TS Agent logins for this IP exist.


For certain IP addresses to be excluded, they need to be added in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Fortinet\FSAE\collectoragent

Value name: 'dc_agent_ignore_ip_list'
Value data:
semicolon-separated list of IPs to ignore by the Collector Agent

The list can consist of single IPs, and, starting with Collector Agent version 5.0.0302, IP ranges.

Ranges should be put into this format: 10.0.0.1-10.0.0.254
A full example of an ignore list: 192.168.1.99;10.0.0.1-10.0.0.254;10.10.10.10;10.11.12.13;172.16.0.1-17.16.255.254

Below version 5.0.0302, only single IPs are supported!

 

 
 After the list is updated, the FSSO service needs to be restarted.
 
 
After IP addresses (and ranges) are added to the 'dc_agent_ignore_ip_list', and when the Collector Agent then receives login information for those IPs from DC Agent or retrieves it via polling mode, the login will be discarded.
The 'value data' field can hold up to 1MB of data (based on Windows Registry Element size limits), allowing for numerous IPs and ranges to be added.fter the list is updated, the FSSO service needs to be restarted.
 
Check for results on the FortiGate for example:
 
#diag firewall auth list | grep A7 <ignored IP>
 
-> this should not return any results if the IP is ignored properly, unless there is a TS Agent on that IP.
Contributors