FSSO User Visibility in Logs for Routed Networks (Non-Directly Connected Segments)
Hello Fortinet Community,
I have a question regarding FSSO and Active Directory user visibility in FortiGate logs.
Currently, the customer has LDAP/FSSO configured, and user identification works correctly for a LAN segment directly connected to the FortiGate. In those logs, we can properly see the authenticated username along with source IP, destination, and bandwidth usage.
However, there are additional user segments that are not directly connected to the firewall. These networks are learned through static/dynamic routing from other network devices. For traffic coming from those routed segments, the logs only show source/destination IPs and traffic usage, but no associated username.
My main question is:
Can FortiGate/FSSO associate users with IP addresses regardless of whether the network is directly connected or learned through routing protocols?
From my understanding, FSSO performs User ↔ IP mapping based on authentication events from Active Directory, so theoretically it should not depend exclusively on directly connected interfaces. However, I would like to confirm whether there are additional requirements or best practices for routed environments, such as:
- Explicit subnet inclusion in FSSO
- Traffic visibility or asymmetric routing considerations
- Identity-based firewall policies
- Collector Agent vs Polling Mode behavior
- NAT or L3 transit limitations
- Dependency on AD/DC logon event visibility
From a cybersecurity and operational visibility perspective, maintaining consistent user-IP correlation across all corporate segments is critical for:
- Auditing and compliance
- Threat hunting
- Incident response and forensics
- Zero Trust policy enforcement
- User-based access control and monitoring
Has anyone experienced a similar scenario or can confirm the recommended approach to ensure proper user visibility in routed networks?
Thanks in advance.