Hi!
I am just struggeling with the correlation of my logs. Currently, I am using Fortigate 6.4.11 with Explicit proxy
Local-In-Policy is showing the "original" source port and IP of every connection.
But: I am not able to do any correlation between the outgoing "forward-proxy-policy"-log entry and the original "local-in-policy"-log-entry.
Are you aware of any possibility to do this?
Background: I am using Linux terminalservers. As there is no Linux-terminalserver-agent, I have to find out which user did open e.g. a malicious URL. The linux EDR is showing the source-port for every user, but the source-port of the "forward-policy", that is showing up, that the malicious URL has been opened is not the original source-port
Thank you for your help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If i understand your issue correctly you can try setting "set fixedport enable" in your firewall policy. This will prevent the FortiGate from changing the source port in the outbound, Source-NATted packet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.