- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[FortiView] Source IP of Top source: Some has user name, and some doesn't
In FortiVeiw > Summary View > Top Source:
Some users show their IP address as source. I mean their IP address only.
But some have their username like "192.168.1.71 (nakahira)" beside it. What is the reason?
And in that case, they have human shaped icon on the leftside.
What dose this mean?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it means username information is recorded in FCT logs for these connections, user has enabled authentication such as FSSO in the FGT.
Regards,
hz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where those values "(user name)" actually comes from?
I have checked Fortigate unit and found that SSL remote access and local user authentication are enabled.
And I found that the FGT detected "teiji-k@...ne.jp" as user name, which is also recognized as
"192.168.1.240(teiji-k@...ne.jp)" in the Fortianalyzer logs.
It is just an e-mail address set in Thunderbird..
little bit confused..
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
Just to add we are also getting the same issues. I use FGT & FAZ. We are using FSSO and on the FAZ Report sometime the FSSO username is displayed, sometimes by ip address. Some occasions the same user is accounted twice by either his or her fsso username or pc ID.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any feedback plz
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Silver
Dear Experts, Please give us some hints.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the fortigate has intergrated with any of the directory service through FSSO , LDAP or RADIUS ,then you will get the username in reports and fortiview.
You can check the user status in User- Monitor module.
If you are using device discovery in interface ,it sniffs the machine details ( Name ,Device type , username etc)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And I found that the FGT detected "teiji-k@...ne.jp" as user name, which is also recognized as "192.168.1.240(teiji-k@...ne.jp)" in the Fortianalyzer logs.
If you have device detection enabled on FGTs and no other definitive user identity info available (eg. FSSO or firewall authenticated users...), the FGTs can learn some un-official identities from the devices such as the email login teiji-k@...ne.jp etc and write the info to the traffic log. FAZ will use this information for reports.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the CLI:
#'diagnose user device list'
will show how the device or user was identified. Look for "src" after the user or device.