Just to add we are also getting the same issues. I use FGT & FAZ. We are using FSSO and on the FAZ Report sometime the FSSO username is displayed, sometimes by ip address. Some occasions the same user is accounted twice by either his or her fsso username or pc ID.
If the fortigate has intergrated with any of the directory service through FSSO , LDAP or RADIUS ,then you will get the username in reports and fortiview.
You can check the user status in User- Monitor module.
If you are using device discovery in interface ,it sniffs the machine details ( Name ,Device type , username etc)
And I found that the FGT detected "teiji-k@...ne.jp" as user name, which is also recognized as "192.168.1.240(teiji-k@...ne.jp)" in the Fortianalyzer logs.
If you have device detection enabled on FGTs and no other definitive user identity info available (eg. FSSO or firewall authenticated users...), the FGTs can learn some un-official identities from the devices such as the email login teiji-k@...ne.jp etc and write the info to the traffic log. FAZ will use this information for reports.
This is what I found about what I asked at this moment.
Is my understanding written below correct?
[from Fortigate CLI]
#diag user device list
We can actually see how device is detected..
vd 0 (MACaddress) 3 gen 225296 req 2c redir 0 last 106790s port1 host 'iPhone' src dhcp
vd 0 (MACaddress) gen 192525 req 0 redir 0 last 503786s port1 ip 192.168.1.75 type 8 'Windows PC' src configured c 1 gen 31159 os 'Windows' version '' src http id 1883 c 1 host 'Wsn25' src dhcp user 'SAKAMOTO' src auth
vd 0 (MACaddress) gen 192492 req 10 redir 0 last 146s port1 ip 192.168.1.240 type 8 'Windows PC' src configured c 1 gen 31126 os 'Windows' version '8.1' src http id 1824 c 1 user 't-eguchi' src pop3
vd 0 (MACaddress) gen 1611 req 0 redir 0 last 99708s internal ip 192.168.2.216 type 8 'Windows PC' src dhcp c 1 gen 1561 os 'Windows' version '' src dhcp id 24 c 1 host 'Wsn07' src dhcp user 'k-sato' src kerberos
[below is what I learnt this time!]
■Fortigate
・Device name (=host name)
src dhcp ⇒ via arp broadcast?
When "Device deteciton" is enabled and if the fortigate could detects hostname via arp broadcast frame, They will be shown as device name in the "device" field.
src kerberos?? ⇒ There may be some other way to detect device's information.
・User name
1)src pop3
When "Device detection"is enabled and when fortigate could catch their infomation inside the pop3 packet, the fortigate treat it as username and shows it in the "user" field with red human shaped icon. (unofficial)
2)src auth
When "User authentication" is used inside the fortigate unit, in this case SSL-VPN, the fortigate
treat it as username and shows it in the "user" field with blue human shaped icon.
・The name beside the IP address
When "FSSO" is enabed and when the username was resolved by DNS reverse lookup, the Fortigate shows it beside the IP address. In the "Source IP" feild for example.
■Fortianalyzer
・The name beside the IP address In FortiView > Summary View > Top source > "Source IP" field, FAZ shows username beside the IP address with blue human shaped icon which was detected via "Device detection" function of Fortigate above.
・Device name (via FSSO Reverse lookup or device name) In FortiView > Summary View > Top source > "Device" field, FAZ shows FQDN name which was resolved via FSSO function of Fortigate unit, but if the name was not found at reverse lookup, FAZ uses "device name" information which was acquired via "Device detection" instead.
