Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yamamoto
New Contributor

[FortiView] Source IP of Top source: Some has user name, and some doesn't

In FortiVeiw > Summary View > Top Source:

 

Some users show their IP address as source. I mean their IP address only.

But some have their username like "192.168.1.71 (nakahira)" beside it.  What is the reason? 

 

And in that case, they have human shaped icon on the leftside.

What dose this mean?  

 

 

11 REPLIES 11
hzhao_FTNT
Staff
Staff

Hi, it means username information is recorded in FCT logs for these connections, user has enabled authentication such as FSSO in the FGT.

 

Regards,

hz

yamamoto
New Contributor

Thank you for your reply 

 

 

 

yamamoto
New Contributor

Where those values "(user name)" actually comes from?

 

I have checked Fortigate unit and found that SSL remote access and local user authentication are enabled.

 

And I found that the FGT detected  "teiji-k@...ne.jp" as user name, which is also recognized as 

"192.168.1.240(teiji-k@...ne.jp)" in the Fortianalyzer logs.

 

It is just an e-mail address set in Thunderbird..

little bit confused..

 

Thanks in advance.

 

 

Silver
New Contributor

Dear All,

 

Just to add we are also  getting the same issues. I use FGT & FAZ.  We are using FSSO and on the FAZ Report sometime the FSSO username is displayed, sometimes by ip address. Some occasions the same user is accounted twice by either his or her fsso username or pc ID.

Silver
New Contributor

Any feedback plz

yamamoto
New Contributor

Thank you Silver

 

Dear Experts, Please give us some hints.

Nihas
New Contributor

If the fortigate has intergrated with any of the directory service through FSSO , LDAP or RADIUS ,then you will get the username in reports and fortiview.

You can check the user status in User- Monitor module.

 

If you are using device discovery in interface ,it sniffs the machine details ( Name ,Device type , username etc) 

Nihas [\b]
Nihas [\b]
L_FTNT
Staff
Staff

 And I found that the FGT detected  "teiji-k@...ne.jp" as user name, which is also recognized as  "192.168.1.240(teiji-k@...ne.jp)" in the Fortianalyzer logs. 

 

If you have device detection enabled on FGTs and no other definitive user identity info available (eg. FSSO or firewall authenticated users...), the FGTs can learn some un-official identities from the devices such as the email login teiji-k@...ne.jp etc and write the info to the traffic log. FAZ will use this information for reports.

CL
New Contributor

From the CLI:

 

#'diagnose user device list'

 

will show how the device or user was identified.  Look for "src" after the user or device.

Labels
Top Kudoed Authors