In prior versions of FortiOS an agent software was needed on either a Domain Controller or a Member Server. There was a lot of push back since many IT admins were not comfortable running third-party software on their critical AD servers. FortiOS 5.0 allows the firewalls to directly query the AD global catalog and event logs, the agents are now optional.
When a Windows AD user logs on at a workstation in a monitored domain, the FortiGate unit:
- detects the logon event in the domain controller’s event log and records the workstation name, domain, and user
- resolves the workstation name to an IP address
- uses the domain controller’s LDAP server to determine which groups the user belongs to
- creates one or more log entries on the FortiGate unit for this logon event as appropriate
(From the FortiOS 5.0 Authentication Guide)