FSSO II

TCP ports 139 its optional, only TCP port 445 must be opened between collector agents or FortiGate and all hosts.

Which is the recommended mode for FSSO deployments?

Which FSSO mode requires more FortiGate system resources (CPU and RAM)?

Is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.

NTLM

Simple domain configurations for NTLM authentication

When performing NTLM authentication, what information does the web browser supply to FortiGate?

Which of the following may cause an NTLM authentication to occur?

The FSSO collector agent can access Windows AD in one of two modes:

Notice that you do not need to match the F880 version with your exact FortiGate firmware version. When installing FSSO, grab the latest collector agent for your major release. You do however, need to match the dcagent version to the collector agent version.

The maximum number of Windows AD user groups allowed on a FortiGate depends on the model.

This setting controls when the collector agent connects to individual workstations on port 139 (or port 445), and uses the remote registry service to verify if a user is still logged on to the same station. It changes the status of the user under Show logon User, to not verified when it cannot connect to the workstation. If it does connect, it verifies the user and the status remains OK. To facilitate this verification process, the remote registry service should be set to auto start on all domain member PCs.

This setting applies only to entries with an unverified status. When an entry is not verified, the collector starts this timer. It‘s used to age out the entry. When the timer expires, the logon is removed from the collector. From FortiGate’s perspective, there is no difference between entries that are OK and entries that are not verified. Both are considered valid.

This setting checks the IP addresses of logged in users and updates the FortiGate when a user‘s IP addresses change. This timer is especially important in DHCP or dynamic environments to prevent users from being locked out if they change lP addresses. The domain's DNS server should be accurate; if the DNS server does not update the affected records promptly, the collector agent's lP information will be inaccurate.

This setting caches the user group membership for a defined period of time. It is not updated, even if the user changes group membership in AD.

Uses the Windows convention NetBios: Domain\Username.

Uses the LDAP convention: CN=User, OU=Name, DC=Domain.

AD Group support (Select 4)

If you have collector agents, either using the DC agent mode or the collector agent-based polling mode, what 880 setting should you select on FortiGate?

Filtering from FortiGate can only be done if the collector agent is in which AD access mode?

Which of the following naming conventions does the F880 collector agent use to access the Windows AD in Standard access mode?

Which logging level shows the logon events on the collector agent?

The command diagnose debug fsso-polling detail displays information for which mode of FSSO?