This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Hello Fuse Community,
We are running a pair of fortigates connected to a fortianalyzer and are having a heck of a time trying to identify p2p users. All our users are nat'ed behind the firewall, which adds another layer of complexity and it doesnt help that the DMCA notifications do not list a destination IP, only timestamp, my public IP, and port number. Are any of you able to successfully identify internal users by running a report via fortianalyzer or using data directly off of the fortigate firwall itself? TIA for any assistance.
Mike
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Mike, p2p users should be pretty easy to spot in your FWD Traffic logs on the FGT itself. I would start there assuming you're blocking this traffic type via Web/App Profiles. I personally don't have any experience with the FortiAnalyzer. If you're using an identiy based policy leveraging FSSO you should be able to filter on "username".
Hello,
You can track down the P2P users using the Fortiview on your own Firewall. If the firewall version is V5.2.4 it will be very easy to identfy P2P users.
Thank you
Sebastião Júnior
IT Security Analist
NSE4, NSE6, NSE7, FCNSA, FCNSP, CCSA, CCSE
Fone: +55 16 3514 3530 | +55 16 99151 4013
Email: sebastiao.junior@safetyware.com.br
Skype: sebastian.junior3
Mike,
If I understand your use case correctly, your FortiGate does not see its internal users by IP and instead sees them as some SNAT IP or pool, even internally?
That is sadly not a situation which gives us any form of identification capabilities, as we cant really track users in this case. About your only solution would be to use some form of authenticated explicit proxy technique, but thats likely out of the question and frankly, somewhat of an outdated approach with modern NGFW. Is there a specific reason you cannot see the source IP of your users? Is there any way you could introduce the FortiGate earlier in your network in order to see that rather critical piece of information?
--
Mathieu Nantel - NSE4, CCIE 24349
Principal System Engineer / Consultant Technique Senior, Office of the CTO
-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.