FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff

Description

 

This article expands upon FortiGate device detection as outlined here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-Device-Detection-to-allow-FortiOS-t...

 

Solution

 

FortiOS has a feature called 'Device Detection' that may be enabled on interfaces with the role'LAN' or from CLI.

 

With this setting enabled, FortiGate collects information about connecting devices on that LAN interface, such as IP, MAC address, operating system, and users.

 

Details regarding device detection and what information it gathers may be found here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-Device-Detection-to-allow-FortiOS-t...

 

Some information FortiGate gathers this way (user and hostname information) may be included in logs.

In particular, the log fields 'unauthuser' and 'unauthusersource' contain information obtained via device detection:

 

As an example:

 

FGT-1 # dia user device list hosts

  vd root/0  00:62:65:6e:05:01  gen 13  req OUA/34

    created 260064s  gen 5  seen 0s  port35  gen 3

    ip 10.0.0.254  src mac

    os 'Windows'  src http  id 1444  weight 130

    software version '10'  src http  id 1444  weight 130

    host 'LAB-KVM05'  src mwbs

    user 'testuser'  src kerberos

 

FGT-1 # execute log display

1: date=2022-01-05 time=11:22:13 [...] srcip=10.0.0.254 srcname="LAB-KVM05" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser" unauthusersource="kerberos" [...]

 

This information is NOT authoritative, it is a guess based on whatever traffic FortiGate was able to observe.

This means that user information obtained via device detection may differ from users obtained via proper authentication (such as FSSO).

 

FortiAnalyzer reporting, for example, is constructed in such a way that actual user information is preferred over the 'unauthuser' field.

The datasets underlying reporting construct source information first from the 'user' field; if that has no value, then the 'unauthuser' field, and if that also contains no information, then FortiAnalyzer defaults to source IP:

 

select

  coalesce(

    nullifna(`user`),

    nullifna(`unauthuser`),

    ipstr(`srcip`)

  ) as user_src,

[…]

 

From https://docs.fortinet.com/document/fortianalyzer/7.0.2/dataset-reference/328855/dataset-reference-li..., the “Top-Users-By-Bandwidth” dataset.