Correlation Source Port of local-in to forward policy - Fortigate Explicit Proxy
I am just struggeling with the correlation of my logs. Currently, I am using Fortigate 6.4.11 with Explicit proxy
Local-In-Policy is showing the "original" source port and IP of every connection.
But: I am not able to do any correlation between the outgoing "forward-proxy-policy"-log entry and the original "local-in-policy"-log-entry.
Are you aware of any possibility to do this?
Background: I am using Linux terminalservers. As there is no Linux-terminalserver-agent, I have to find out which user did open e.g. a malicious URL. The linux EDR is showing the source-port for every user, but the source-port of the "forward-policy", that is showing up, that the malicious URL has been opened is not the original source-port
If i understand your issue correctly you can try setting "set fixedport enable" in your firewall policy. This will prevent the FortiGate from changing the source port in the outbound, Source-NATted packet.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.