Technical Tip: Differences between the blue and orange icons for the people icon in logs

There are two icons displayed in the forward traffic or the FortiView session.

• Blue Icon: Represents user sessions authenticated via centralized authentication methods like FSSO (Fortinet Single Sign-On), LDAP, RADIUS, etc. These sessions are tied to users authenticated through external identity providers.

• Orange Icon: Indicates device detection-based sessions, where Fortinet identifies users or devices directly through device detection mechanisms rather than centralized authentication. This could include devices detected via network traffic or device fingerprinting.

Implementing these configuration changes ensures that logging and analysis are concentrated exclusively on user sessions authenticated through centralized authentication mechanisms, such as LDAP, FSSO, or RADIUS. This approach effectively minimizes extraneous data generated by device detection processes, thereby enhancing the accuracy and relevance of audit trails and reports.

By disabling device detection at the interface level and configuring the system to filter logs accordingly, organizations can improve monitoring precision and streamline security oversight in accordance with best practices and compliance requirements.