Without User ID, the current user and host identification is done on a best effort basis using what information is available in clear text such as the username in Kerberos or a digest header, DNS responses and mac addresses. An example of this is at the bottom of this email.<\/p>
There are two approaches to pulling user login information from active directory \u2013 Polling and Agent based. Polling mode is like you\u2019ve suggested below where the FortiGate connects to AD and parses logs every few minutes. Agent based (known as FSSO) relies on a FortiGate service that runs on one or more servers and performs this event log monitoring and supplies the FortiGates with a live feed.<\/p>
I typically recommend agent based because it\u2019s lower overhead on both the FortiGates and domain controllers and is less prone to missing login events.<\/p>
For terminal servers, there is a specific agent we need to install. What this does is essentially sit in the network stack and allocate a range of source ports to each user, and then tell the FortiGate who has been allocated which port. \u00a0However, this does come work a warning that this source port restriction can break some applications (legacy ODBC based SQL applications in particular) – \u00a0so this will need some testing.<\/p>
You also need to use the FortiGate FSSO agent approach with terminal server agents to avoid giving the FortiGate\u2019s conflicting information.<\/p>
<\/p>
\u00a0vd root\/0\u00a0 00:50:56:84:12:50\u00a0 gen 1194584\u00a0 req OA\/24<\/p>
\u00a0\u00a0\u00a0 created 19084696s\u00a0 gen 10\u00a0 seen 0s\u00a0 NIKV310\u00a0 gen 541225<\/p>
\u00a0\u00a0\u00a0 ip 10.36.30.200\u00a0 src mac<\/p>
\u00a0\u00a0\u00a0 hardware vendor ‘VMware’\u00a0 src mac\u00a0 id 0\u00a0 weight 120<\/p>
\u00a0\u00a0\u00a0 os ‘Windows’\u00a0 src http\u00a0 id 1453\u00a0 weight 130<\/p>
\u00a0\u00a0\u00a0 software version ’10’\u00a0 src http\u00a0 id 1453\u00a0 weight 130<\/p>
\u00a0\u00a0\u00a0 host ‘XXXXXXX.yarracm.com’\u00a0 src dhcp<\/p>
\u00a0\u00a0\u00a0\u00a0user ‘XXXXXXX’\u00a0 src Kerberos<\/p>
\u00a0<\/p>","protected":false},"excerpt":{"rendered":"
Without User ID, the current user and host identification is done on a best effort basis using what information is available in clear text such as the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1251,1250,1493,3964,3965,3963],"class_list":["post-6135","post","type-post","status-publish","format-standard","hentry","category-research","tag-fortigate","tag-fortinet","tag-sso","tag-track-users","tag-user-not-listed","tag-users"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6135"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6135\/revisions"}],"predecessor-version":[{"id":6136,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6135\/revisions\/6136"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}