I am just struggeling with the correlation of my logs. Currently, I am using Fortigate 6.4.11 with Explicit proxy
Local-In-Policy is showing the "original" source port and IP of every connection.
But: I am not able to do any correlation between the outgoing "forward-proxy-policy"-log entry and the original "local-in-policy"-log-entry.
Are you aware of any possibility to do this?
Background: I am using Linux terminalservers. As there is no Linux-terminalserver-agent, I have to find out which user did open e.g. a malicious URL. The linux EDR is showing the source-port for every user, but the source-port of the "forward-policy", that is showing up, that the malicious URL has been opened is not the original source-port
Thank you for your help