Embed Size (px)
DESCRIPTION
FSAE installed in a Windows Active Directory environment can monitor which user is logged on to which workstation and pass that information to the FortiGate unit which can use that information to apply its firewall policies.
Citation preview
Fortinet FSAE Polling and DCAgent mode
There are several mechanisms for passing user authentication information to theFortiGate unit using Fortinet FSAE software:
• FSAE software installed on a Windows AD network monitors user logons and sendsthe required information to the FortiGate unit. The FSAE software can obtain thisinformation by polling the domain controllers or by using an agent on each domaincontroller that monitors user logons in real time. Optionally, a FortiGate unit runningFortiOS 3.0 MR6 or later can obtain group information directly from the AD usingLightweight Directory Access Protocol (LDAP).
• On a Windows AD network, the FSAE software can also serve NTLM requests comingfrom client browsers (forwarded by the FortiGate unit).
• FSAE software installed on a Novell network monitors user logons and sends therequired information to the FortiGate unit. The FSAE software can obtain informationfrom the Novell eDirectory using either the Novell API or LDAP.
FSAE user logon monitoring
FSAE installed in a Windows Active Directory environment can monitor which user islogged on to which workstation and pass that information to the FortiGate unit which canuse that information to apply its firewall policies.When a Windows AD user logs in at a workstation, FSAE• detects the logon event and records workstation name, domain, and user,• resolves the workstation name to an IP address,• uses Active Directory to determine which groups the user belongs to,• sends the user logon information, including IP address and groups list, to the FortiGateunit.When the user tries to access network resources, the FortiGate unit selects theappropriate firewall policy for the destination. If the user belongs to one of the permitteduser groups, the connection is allowed.FSAE can use either of two different methods to monitor user logon activity: DC Agentmode or Polling mode.
DC Agent mode
In DC Agent mode (see Figure), an agent is installed on each domain controller tomonitor user logon events and pass the information to the FSAE collector agent, whichforwards the information to the FortiGate unit.
DC Agent mode provides reliable user logon information, however you must install a DCagent on every domain controller in the domain. A reboot is needed after the agent isinstalled.
Polling mode
In Polling mode (see Figure), the FSAE collector agent polls each domain controller foruser logon information and forwards it to the FortiGate unit.
The polling mode provides logon information less reliably. For example, under heavysystem load a poll might miss some user logon events. However, you do not need to installa DC agent on each domain controller.
Source: Fortinet User Authenication Handbook v2 for FortiOS 4.0 MR2
Selecting Domain Controllers and working mode for monitoring
You can change which DC agents are monitored or change the working mode for logonevent monitoring.1 From the Start menu select Programs > Fortinet > Fortinet Server Authentication Extension > Configure FSAE.2 In the Common Tasks section, select Show Service Status.3 Select Select DC to Monitor.
Working Mode
DC Agent mode — a Domain Controller agent monitors user logon events andpasses the information to the FSAE collector agent. This provides reliable user logoninformation, however you must install a DC agent on every domain controller in thedomain.Polling mode — the FSAE collector agent polls each domain controller for userlogon information. Under heavy system load this might provide information lessreliably, but you do not need to install a DC agent on each domain controller.
Below a screenshot example reporting the logon user list from a FSEA collector in which are visible the authentication type for the domain users.
