Description

This article describes FortiGate device detection, as outlined in Technical Tip: Enable 'Device Detection' to allow FortiOS to monitor networks.

Scope

FortiGate.

Solution

FortiOS has a feature called 'Device Detection' that may be enabled on interfaces with the role'LAN' or from CLI.

With this setting enabled, FortiGate collects information about connecting devices on that LAN interface, such as IP, MAC address, operating system, and users.

Details regarding device detection and what information it gathers may be found in Technical Tip: Enable 'Device Detection' to allow FortiOS to monitor networks.

FortiGate can receive this information from other sources like FortiClient EMS, FortiNAC, and FortiSwitch.

Some information FortiGate gathers this way (user and hostname information) may be included in logs.

In particular, the log fields 'unauthuser' and 'unauthusersource' contain information obtained via device detection:

As an example:

FGT-1 # diagnose user device list hosts

  vd root/0  00:62:65:6e:05:01  gen 13  req OUA/34

    created 260064s  gen 5  seen 0s  port35  gen 3

    ip 10.0.0.254  src mac

    os 'Windows'  src http  id 1444  weight 130

    software version '10'  src http  id 1444  weight 130

    host 'LAB-KVM05'  src mwbs

    user 'testuser'  src kerberos

FGT-1 # execute log display

1: date=2022-01-05 time=11:22:13 [...] srcip=10.0.0.254 srcname="LAB-KVM05" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser" unauthusersource="kerberos" [...]2

2: date=2022-01-05 time=11:22:40 [...] srcip=10.0.0.240 srcname="LAB-KVM10" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=44.199.160.6 dstport=443 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser2" unauthusersource="forticlient" [...]

This information is not authoritative: it is a guess based on whatever traffic FortiGate was able to observe.

This means that user information obtained via device detection (or other source) may differ from that obtained via proper authentication (such as FSSO). By default, device information is kept in memory by 28 days, more information in the following document:

See Technical Tip: How to disable the device database.

Sometimes, when traffic is generated from a device without any authenticated user (device is up and running a background process like software updates, DNS queries), traffic logs are generated and show the 'unauthenticated user' field as the user:

However, no user has been authenticated in the firewall:

diagnose firewall auth list

----- 0 listed, 0 filtered ------

Device information can be displayed using the following command:

diagnose user-device-store user memory list

FortiAnalyzer reporting and FortiGate traffic log view, for example, are constructed in such a way that actual user information is preferred over the 'unauthuser' field.

The datasets underlying reporting construct source information first from the 'user' field; if that has no value, then the 'unauthuser' field, and if that also contains no information, then FortiAnalyzer defaults to source IP:

select

  coalesce(

    nullifna(`user`),

    nullifna(`unauthuser`),

    ipstr(`srcip`)

  ) as user_src,

[…]

In the FortiAnalyzer 7.0.2 dataset reference list, see the 'Top-Users-By-Bandwidth' dataset.