Skip to main content
M0onl1t
M0onl1t
New Member
April 20, 2020
Question

Meaning of unauthuser and unauthusersource

  • April 20, 2020
  • 2 replies
  • 10751 views

Hi, Can anyone tell me the meaning of unauthuser and unauthusersource in the logs? Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root" policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local" osname=" Mac OS X" osversion=" 10.8.5" [style="background-color: #ffff99;"]unauthuser=" bj" unauthusersource=" forticlient"[/style] srcip=192.168.32.8 srcport=60038 srcintf=" internal2" dstip=107.20.232.119 dstport=80 dstintf=" ISP-Colt" service=" http" hostname=" nagios.foo.net" profiletype=" Webfilter_Profile" profile=" default" status=" passthrough" reqtype=" referral" url=" /nagios3/images/comment.gif" sentbyte=633 rcvdbyte=187 msg=" URL has been visited" method=domain class="0" cat=255 In other logs appear dstunauthusersource and dstunauthuser, what is the meaning? Thanks so much

    2 replies

    AtiT
    AtiT
    New Member
    November 23, 2020

    I am also intrested in this. I can see logs with "unauthusersource="kerberos" and I can see users in the logs as unauthuser that contains username that is disabled and not belongs to any user group.

    Where this unauthuser value comes from?

     

    mricardez
    Staff
    mricardez
    Staff
    January 4, 2022

    The log entries are addressing the user login and login source from the device detection/identification feature (enabled at the interface).

     

    - The logs of uthusersource="kerberos" is collected from traffic kerberos on the authentication process between a PC and AD.

    - When FG has enabled Device detection on interfaces, the FG will inspect the PC authentication process against the AD (Kerberos traffic) and will record the username.

     

    - Topology in LAB,

     

    PC (192.168.79.1) -> Foritgate -> AD (192.168.78.1)

     

    1: date=2022-01-04 time=10:45:13 eventtime=1641321913730103681 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.79.1 srcname="DESKTOP-OLGFQ84" srcport=51102 srcintf="vlan279" srcintfrole="lan" dstip=192.168.78.1 dstport=53 dstintf="vlan278" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=11460 proto=17 action="accept" policyid=2 policytype="policy" poluuid="c82d7686-6d84-51ec-255f-889aa12ee3b0" policyname="Vlan279To278" service="DNS" trandisp="noop" duration=192 sentbyte=310 rcvdbyte=62 sentpkt=5 rcvdpkt=1 appcat="unscanned" osname="Windows" unauthuser="user1" unauthusersource="kerberos" mastersrcmac="00:53:6d:6f:37:02" srcmac="00:53:6d:6f:37:02" srcserver=0 dstosname="Windows" dstswversion="8/8.1/10" masterdstmac="00:53:6d:6f:36:02" dstmac="00:53:6d:6f:36:02" dstserver=0


    FGVM020000110916 # diagnose user device list
    hosts
    vd root/0 00:53:6d:6f:37:02 gen 9 req OA/24
    created 4066s gen 3 seen 0s vlan279 gen 2
    ip 192.168.79.1 src mac
    os 'Windows' src dhcp id 848 weight 128
    host 'DESKTOP-OLGFQ84' src dhcp
    user 'user1' src kerberos

      Terms & ConditionsAccessibility statement