SmartEDB Wiki
Attachments
History
Blame
Rename
Delete
Changelog
Documentation
Toggle dark mode
Login
Home
A - Z
Create page
Page Index
Fortinet
NSE4
An Otter Wiki
Fortinet
Nse4
3588f7
Commit
3588f7
2026-04-03 17:01:07
Peter
: d
fortinet/nse4.md
..
@@ 65,19 65,23 @@
### Operational modes
**A) Collector Agent (CA) (Windows FSSO agent)**
+
The FSSO Collector Agent runs as a service and collects logon events, then sends user/IP mappings to FortiGate (often based on group filters).
It can collect data either from DC Agents or by polling Domain Controllers directly.
**B) DC Agent (domain controller plugin)**
+
In DC Agent mode, each Domain Controller has a Fortinet DC Agent installed (a DLL), which reads auth events and forwards them to the Collector.
**C) Polling mode (no software on DCs)**
+
In Polling mode, the Collector Agent polls the DCs for logon events and forwards them to FortiGate.
### Combinations / Design
**Option 1 — FortiGate built‑in polling (“agentless” on the FortiGate)**
+
What it is: FortiGate itself acts like a collector and queries DCs for login events (no Windows CA required).
Strengths: Simple setup; no separate CA host required.
@@ 85,6 89,7 @@
Limitations: Typically supports only a limited number of monitored DCs and has no user logout monitoring in that scenario.
**Option 2 — Windows Collector Agent in Polling mode (CA polls DCs)**
+
What it is: You install only the CA on a Windows server, and it polls DCs for logon events.
Why choose it: “No 3rd‑party software on Domain Controllers” — simpler politically/operationally in many orgs.
Polling methods you may see/tested:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
