Technical Tip: FortiAnalyzer compromised host showing wrong End User and IP address
- August 17, 2022
- 0 replies
- 2002 views
| Description | This article describes the issue where FortiAnalyzer compromised the host showing the wrong End User and IP address. |
| Scope | FortiAnalyzer. |
| Solution | In FortiAnalyzer -> FortiView -> FortiView -> Compromised Hosts, the End User showing on the entries may not be represented by the correct current IP address. The reason for this is most probably the DHCP server is configured with a short lease time, something less than 24 hours.
What would happen is that the hosts in the network will be assigned new IP addresses very frequently, and the endpoint user -> IP relation on the FortiAnalyzer will be outdated with the frequent changes happening.
The reason behind the issue is that this feature is predominantly designed for static IPs, however, it could also be used for a DHCP environment with a DHCP lease longer than 7 days. |