Exam NSE4_FGT-7.0 topic 1 question 5 discussion

Study Guide – FSSO – FSSO with Windows Active Directory – Collector Agent-Based Polling Mode Options. Collector agent-based polling mode has three methods (or options) for collecting logon info: NetAPI, WinSecLog and WMI. NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some logon events if a DC is under heavy system load. This is because sessions can be quickly created and purged form RAM, before the agent has a chance to poll and notify FG.

B is correct - Infrastructure 7.0 page 270

Correct: B. The NetSessionEnum function is used to track user logouts. FortiGate Infrastructure 7.2 Study Guide (p.128): "NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify FortiGate." Incorrect: A. NetAPI polling can increase bandwidth usage in large networks. (WinSecLog) C. The collector agent must search security event logs. (WinSecLog) D. The collector agent uses a Windows API to query DCs for user logins. (WMI) Reference and download Study Guide for free & no sign-up: https://ebin.pub/qdownload/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html

- WinSecLog: polis all the security event logs from the DC. It doesn't miss any login events that have been recorded by the DC because events are not normally deleted from the logs. There can be some delay in FortiGate receiving events if the network is large and, therefore, writing to the logs is slow. It also requires that the audit success of specific event IDs is recorded in the Windows security logs. For a full list of supported event IDs, visit the Fortinet Knowledge Base (http://kb.fortinet.com). - NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It's faster than the WinSec and WMI methods; however, it can miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify FortiGate. Answer is B page 127. Infrastructure guide V-7.2

Answer B https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&slice Id=1&docTypeID=DT_KCARTICLE_1_1&dialogID=210966035&stateId=1%2 00%20210968009%27)

Correct answer, D https://kb.fortinet.com/kb/documentLink.do?externalID=FD34906 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD34906&slice Id=1&docTypeID=DT_KCARTICLE_1_1&dialogID=210966035&stateId=1%2 00%20210968009%27)

In this case, according to the infrastructure study guide, the "Most Correct" answer between A and B is "B". Why? because explicitly in the guide it does not indicate that it consumes more bandwidth, only that it is polled every 9 seconds approximately, what it does indicate clearly is that the NetSessionEnum function is called when there is a log in "or" log out, the trick is in this "or". It is not a resounding if or only if of input/output, it is either log in "or" logout.

Correct answer is B

Correct answer is B: NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some login events if a DC is under heavy system load. This is because sessions can be quickly created and purged from RAM, before the agent has a chance to poll and notify FortiGate. Answer A is for WinSecLog: WinSecLog: polls all the security event logs from the DC. It doesn’t miss any login events that have been recorded by the DC because events are not normally deleted from the logs. There can be some delay in FortiGate receiving events if the network is large and, therefore, writing to the logs is slow. It also requires that the audit success of specific event IDs is recorded in the Windows security

Its A, I took the exam from the previous version 6.4 same question and the answer is A. :)

I think the correct answer is A The FSSO NetAPI polling mode scans a Microsoft Windows domain controller every 9 seconds. The NetAPI polling use the NetSessionEnum Microsoft API from netapi32.dll to detect the users that have established session on the domain controller. It must be considered that the bandwidth usage is based on the concurrent logged-in users when the polling action is executed. The other FSSO polling and DC Agent methods to calculate the bandwidth is not based on concurrent logged-in users but logged-in users per second. https://community.fortinet.com/t5/FortiGate/Technical-Note-FSSO-NetAPI-polling-bandwidth-usage-calculator/ta-p/196417

According to Microsoft "The NetSessionEnum method MUST return information about sessions that are established on a server or return an error code". It does not track logout events.

Actually... D is correct. TBH I dont think collector agent is programmed to watch for logout events, that is why it does workstation-checks. D itself is correct, since netapi uses windows-api

B is correct

The NetAPI polling use the NetSessionEnum Microsoft API from netapi32.dll to detect the users that have established session on the domain controller. Means login NOT logout so A

Reading more about this (also see my other comments) it’s a reading exercise: A. NetAPI polling can increase bandwidth usage in large networks: YES is correct, because more concurrent users, is more bandwidth, but not extremely high. But it will increase. B. The NetSessionEnum function is used to track user logouts: YES its tracks user login AND logouts. So, I’m still not sure how to answer this. A is strictly correct, but the infrastructure guide does not mention anything about bandwidth, only something about poll interval times. B is also correct because NetAPI uses NetSessionEnum end can track user logouts. But “function is used to track user logouts” suggests it’s only used for this. So I still feel like choosing aware B with my technical mind. But going on the text only I would go for A.

NetAPI: polls temporary sessions created on the DC when a user logs in or logs out and calls the NetSessionEnum function on Windows. Fortigate Infrastructure Study Guide7.0, Page 270