Created on
01-07-2022
03:14 AM
Edited on
09-16-2025
10:06 PM
By
Jean-Philippe_P
Description
This article describes FortiGate device detection, as outlined in Technical Tip: Enable 'Device Detection' to allow FortiOS to monitor networks.
Scope
FortiGate.
Solution
FortiOS has a feature called 'Device Detection' that may be enabled on interfaces with the role'LAN' or from CLI.
With this setting enabled, FortiGate collects information about connecting devices on that LAN interface, such as IP, MAC address, operating system, and users.
Details regarding device detection and what information it gathers may be found in Technical Tip: Enable 'Device Detection' to allow FortiOS to monitor networks.
FortiGate can receive this information from other sources like FortiClient EMS, FortiNAC, and FortiSwitch.
Some information FortiGate gathers this way (user and hostname information) may be included in logs.
In particular, the log fields 'unauthuser' and 'unauthusersource' contain information obtained via device detection:
As an example:
FGT-1 # diagnose user device list hosts
vd root/0 00:62:65:6e:05:01 gen 13 req OUA/34
created 260064s gen 5 seen 0s port35 gen 3
ip 10.0.0.254 src mac
os 'Windows' src http id 1444 weight 130
software version '10' src http id 1444 weight 130
host 'LAB-KVM05' src mwbs
user 'testuser' src kerberos
FGT-1 # execute log display
1: date=2022-01-05 time=11:22:13 [...] srcip=10.0.0.254 srcname="LAB-KVM05" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser" unauthusersource="kerberos" [...]2
2: date=2022-01-05 time=11:22:40 [...] srcip=10.0.0.240 srcname="LAB-KVM10" srcport=54378 srcintf="port35" srcintfrole="lan" dstip=44.199.160.6 dstport=443 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser2" unauthusersource="forticlient" [...]
This information is not authoritative: it is a guess based on whatever traffic FortiGate was able to observe.
This means that user information obtained via device detection (or other source) may differ from that obtained via proper authentication (such as FSSO). By default, device information is kept in memory by 28 days, more information in the following document:
See Technical Tip: How to disable the device database.
Sometimes, when traffic is generated from a device without any authenticated user (device is up and running a background process like software updates, DNS queries), traffic logs are generated and show the 'unauthenticated user' field as the user:
However, no user has been authenticated in the firewall:
diagnose firewall auth list
----- 0 listed, 0 filtered ------
Device information can be displayed using the following command:
diagnose user-device-store user memory list
FortiAnalyzer reporting and FortiGate traffic log view, for example, are constructed in such a way that actual user information is preferred over the 'unauthuser' field.
The datasets underlying reporting construct source information first from the 'user' field; if that has no value, then the 'unauthuser' field, and if that also contains no information, then FortiAnalyzer defaults to source IP:
select
coalesce(
nullifna(`user`),
nullifna(`unauthuser`),
ipstr(`srcip`)
) as user_src,
[…]
In the FortiAnalyzer 7.0.2 dataset reference list, see the 'Top-Users-By-Bandwidth' dataset.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.