Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
M0onl1t
New Contributor

Meaning of unauthuser and unauthusersource

Hi, Can anyone tell me the meaning of unauthuser and unauthusersource in the logs? Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root" policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local" osname=" Mac OS X" osversion=" 10.8.5" [style="background-color: #ffff99;"]unauthuser=" bj" unauthusersource=" forticlient"[/style] srcip=192.168.32.8 srcport=60038 srcintf=" internal2" dstip=107.20.232.119 dstport=80 dstintf=" ISP-Colt" service=" http" hostname=" nagios.foo.net" profiletype=" Webfilter_Profile" profile=" default" status=" passthrough" reqtype=" referral" url=" /nagios3/images/comment.gif" sentbyte=633 rcvdbyte=187 msg=" URL has been visited" method=domain class="0" cat=255 In other logs appear dstunauthusersource and dstunauthuser, what is the meaning? Thanks so much

2 REPLIES 2
AtiT
Valued Contributor

I am also intrested in this. I can see logs with "unauthusersource="kerberos" and I can see users in the logs as unauthuser that contains username that is disabled and not belongs to any user group.

Where this unauthuser value comes from?

 

AtiT
--------------------
NSE 8, CCNP R+S

mricardez
Staff
Staff

The log entries are addressing the user login and login source from the device detection/identification feature (enabled at the interface).

 

- The logs of uthusersource="kerberos" is collected from traffic kerberos on the authentication process between a PC and AD.

- When FG has enabled Device detection on interfaces, the FG will inspect the PC authentication process against the AD (Kerberos traffic) and will record the username.

 

- Topology in LAB,

 

PC (192.168.79.1) -> Foritgate -> AD (192.168.78.1)

 

1: date=2022-01-04 time=10:45:13 eventtime=1641321913730103681 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.79.1 srcname="DESKTOP-OLGFQ84" srcport=51102 srcintf="vlan279" srcintfrole="lan" dstip=192.168.78.1 dstport=53 dstintf="vlan278" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=11460 proto=17 action="accept" policyid=2 policytype="policy" poluuid="c82d7686-6d84-51ec-255f-889aa12ee3b0" policyname="Vlan279To278" service="DNS" trandisp="noop" duration=192 sentbyte=310 rcvdbyte=62 sentpkt=5 rcvdpkt=1 appcat="unscanned" osname="Windows" unauthuser="user1" unauthusersource="kerberos" mastersrcmac="00:53:6d:6f:37:02" srcmac="00:53:6d:6f:37:02" srcserver=0 dstosname="Windows" dstswversion="8/8.1/10" masterdstmac="00:53:6d:6f:36:02" dstmac="00:53:6d:6f:36:02" dstserver=0


FGVM020000110916 # diagnose user device list
hosts
vd root/0 00:53:6d:6f:37:02 gen 9 req OA/24
created 4066s gen 3 seen 0s vlan279 gen 2
ip 192.168.79.1 src mac
os 'Windows' src dhcp id 848 weight 128
host 'DESKTOP-OLGFQ84' src dhcp
user 'user1' src kerberos

TAC Enginner