Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MikeSana
New Contributor

Created on ‎09-21-2015 01:14 PM

Tracking down P2P users with Fortigate and Fortianalzyer

Hello Fuse Community,

We are running a pair of fortigates connected to a fortianalyzer and are having a heck of a time trying to identify p2p users.  All our users are nat'ed behind the firewall, which adds another layer of complexity and it doesnt help that the DMCA notifications do not list a destination IP, only timestamp, my public IP, and port number.  Are any of you able to successfully identify internal users by running a report via fortianalyzer or using data directly off of the fortigate firwall itself?  TIA for any assistance.

Mike

Labels:
633
0 Kudos
3 REPLIES 3
CamrEntr
New Contributor

Created on ‎09-21-2015 05:13 PM

Mike, p2p users should be pretty easy to spot in your FWD Traffic logs on the FGT itself.  I would start there assuming you're blocking this traffic type via Web/App Profiles.  I personally don't have any experience with the FortiAnalyzer.  If you're using an identiy based policy leveraging FSSO you should be able to filter on "username".

630
0 Kudos
sebjunior
New Contributor

Created on ‎09-23-2015 07:23 AM

Hello, 
You can track down the P2P users using the Fortiview on your own Firewall. If the firewall version is  V5.2.4 it will be very easy to identfy P2P users. 

Thank you

Sebastião Júnior

IT Security Analist 

NSE4, NSE6, NSE7, FCNSA, FCNSP, CCSA, CCSE

Fone: +55 16 3514 3530 | +55 16 99151 4013

Email: sebastiao.junior@safetyware.com.br

Skype: sebastian.junior3

www.safetyware.com.br

Fortinet Security Engineer
Fortinet Security Engineer
630
0 Kudos
mnantel_FTNT
Staff
Staff

Created on ‎09-23-2015 02:12 PM

Mike,

If I understand your use case correctly, your FortiGate does not see its internal users by IP and instead sees them as some SNAT IP or pool, even internally?

That is sadly not a situation which gives us any form of identification capabilities, as we cant really track users in this case. About your only solution would be to use some form of authenticated explicit proxy technique, but thats likely out of the question and frankly, somewhat of an outdated approach with modern NGFW. Is there a specific reason you cannot see the source IP of your users? Is there any way you could introduce the FortiGate earlier in your network in order to see that rather critical piece of information?

--

Mathieu Nantel - NSE4, CCIE 24349

Principal System Engineer / Consultant Technique Senior, Office of the CTO

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

630
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.