FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 202750



This article expands upon FortiGate device detection as outlined here:




FortiOS has a feature called 'Device Detection' that may be enabled on interfaces with the role'LAN' or from CLI.


With this setting enabled, FortiGate collects information about connecting devices on that LAN interface, such as IP, MAC address, operating system, and users.


Details regarding device detection and what information it gathers may be found here:


Some information FortiGate gathers this way (user and hostname information) may be included in logs.

In particular, the log fields 'unauthuser' and 'unauthusersource' contain information obtained via device detection:


As an example:


FGT-1 # dia user device list hosts

  vd root/0  00:62:65:6e:05:01  gen 13  req OUA/34

    created 260064s  gen 5  seen 0s  port35  gen 3

    ip  src mac

    os 'Windows'  src http  id 1444  weight 130

    software version '10'  src http  id 1444  weight 130

    host 'LAB-KVM05'  src mwbs

    user 'testuser'  src kerberos


FGT-1 # execute log display

1: date=2022-01-05 time=11:22:13 [...] srcip= srcname="LAB-KVM05" srcport=54378 srcintf="port35" srcintfrole="lan" dstip= dstport=53 dstintf="wan1" dstintfrole="wan" [...] appcat="unscanned" osname="Windows" unauthuser="testuser" unauthusersource="kerberos" [...]


This information is NOT authoritative, it is a guess based on whatever traffic FortiGate was able to observe.

This means that user information obtained via device detection may differ from users obtained via proper authentication (such as FSSO).


FortiAnalyzer reporting, for example, is constructed in such a way that actual user information is preferred over the 'unauthuser' field.

The datasets underlying reporting construct source information first from the 'user' field; if that has no value, then the 'unauthuser' field, and if that also contains no information, then FortiAnalyzer defaults to source IP:







  ) as user_src,



From, the “Top-Users-By-Bandwidth” dataset.