When a user logs in, FSSO typically collects: username, domain, workstation, IP address, and group membership, and forwards it to FortiGate/FortiManager
-
### Operating modes
+
### Operational modes
+
**A) Collector Agent (CA) (Windows FSSO agent)**
The FSSO Collector Agent runs as a service and collects logon events, then sends user/IP mappings to FortiGate (often based on group filters).
@@ 74,6 75,29 @@
**C) Polling mode (no software on DCs)**
In Polling mode, the Collector Agent polls the DCs for logon events and forwards them to FortiGate.
+
### Combinations / Design
+
+
**Option 1 — FortiGate built‑in polling (“agentless” on the FortiGate)**
+
What it is: FortiGate itself acts like a collector and queries DCs for login events (no Windows CA required).
+
+
Strengths: Simple setup; no separate CA host required.
+
+
Limitations: Typically supports only a limited number of monitored DCs and has no user logout monitoring in that scenario.
+
+
**Option 2 — Windows Collector Agent in Polling mode (CA polls DCs)**
+
What it is: You install only the CA on a Windows server, and it polls DCs for logon events.
+
Why choose it: “No 3rd‑party software on Domain Controllers” — simpler politically/operationally in many orgs.
+
Polling methods you may see/tested:
+
+
NetAPI polling (fast, but may miss some logons if DC is heavily loaded).
+
+
Windows Security Event Log polling (slower but less likely to miss events under load; needs good network links).
+
+
Event log via WMI (also listed as an option in Fortinet guidance for polling mode).
+
+
Ports/traffic: Polling uses Windows remote access mechanisms (SMB/RPC/WMI), which can mean more overhead than DC-Agent mode
