This article expands upon FortiGate device detection as outlined here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-Device-Detection-to-allow-FortiOS-t...
FortiOS has a feature called 'Device Detection' that may be enabled on interfaces with the role'LAN' or from CLI.
With this setting enabled, FortiGate collects information about connecting devices on that LAN interface, such as IP, MAC address, operating system, and users.
Details regarding device detection and what information it gathers may be found here:
Some information FortiGate gathers this way (user and hostname information) may be included in logs.
In particular, the log fields 'unauthuser' and 'unauthusersource' contain information obtained via device detection:
As an example:
FGT-1 # dia user device list hosts
vd root/0 00:62:65:6e:05:01 gen 13 req OUA/34
created 260064s gen 5 seen 0s port35 gen 3
ip 10.0.0.254 src mac
os 'Windows' src http id 1444 weight 130
software version '10' src http id 1444 weight 130
host 'LAB-KVM05' src mwbs
user 'testuser' src kerberos
FGT-1 # execute log display
1: date=2022-01-05 time=11:22:13 [...] srcip=10.0.0.254 srcname="LAB-KVM05" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=220.127.116.11 dstport=53 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser" unauthusersource="kerberos" [...]
This information is NOT authoritative, it is a guess based on whatever traffic FortiGate was able to observe.
This means that user information obtained via device detection may differ from users obtained via proper authentication (such as FSSO).
FortiAnalyzer reporting, for example, is constructed in such a way that actual user information is preferred over the 'unauthuser' field.
The datasets underlying reporting construct source information first from the 'user' field; if that has no value, then the 'unauthuser' field, and if that also contains no information, then FortiAnalyzer defaults to source IP:
) as user_src,
From https://docs.fortinet.com/document/fortianalyzer/7.0.2/dataset-reference/328855/dataset-reference-li..., the “Top-Users-By-Bandwidth” dataset.