In FortiVeiw > Summary View > Top Source:
Some users show their IP address as source. I mean their IP address only.
But some have their username like "192.168.1.71 (nakahira)" beside it. What is the reason?
And in that case, they have human shaped icon on the leftside.
What dose this mean?
Thank you all for your kind assistance.
This is what I found about what I asked at this moment.
Is my understanding written below correct?
[from Fortigate CLI]
#diag user device list
We can actually see how device is detected..
vd 0 (MACaddress) 3 gen 225296 req 2c redir 0 last 106790s port1 host 'iPhone' src dhcp
vd 0 (MACaddress) gen 192525 req 0 redir 0 last 503786s port1 ip 192.168.1.75 type 8 'Windows PC' src configured c 1 gen 31159 os 'Windows' version '' src http id 1883 c 1 host 'Wsn25' src dhcp user 'SAKAMOTO' src auth
vd 0 (MACaddress) gen 192492 req 10 redir 0 last 146s port1 ip 192.168.1.240 type 8 'Windows PC' src configured c 1 gen 31126 os 'Windows' version '8.1' src http id 1824 c 1 user 't-eguchi' src pop3
vd 0 (MACaddress) gen 1611 req 0 redir 0 last 99708s internal ip 192.168.2.216 type 8 'Windows PC' src dhcp c 1 gen 1561 os 'Windows' version '' src dhcp id 24 c 1 host 'Wsn07' src dhcp user 'k-sato' src kerberos
[below is what I learnt this time!]
■Fortigate
・Device name (=host name)
src dhcp ⇒ via arp broadcast?
When "Device deteciton" is enabled and if the fortigate could detects hostname via arp broadcast frame, They will be shown as device name in the "device" field.
src kerberos?? ⇒ There may be some other way to detect device's information.
・User name
1)src pop3
When "Device detection"is enabled and when fortigate could catch their infomation inside the pop3 packet, the fortigate treat it as username and shows it in the "user" field with red human shaped icon. (unofficial)
2)src auth
When "User authentication" is used inside the fortigate unit, in this case SSL-VPN, the fortigate
treat it as username and shows it in the "user" field with blue human shaped icon.
・The name beside the IP address
When "FSSO" is enabed and when the username was resolved by DNS reverse lookup, the Fortigate shows it beside the IP address. In the "Source IP" feild for example.
■Fortianalyzer
・The name beside the IP address In FortiView > Summary View > Top source > "Source IP" field, FAZ shows username beside the IP address with blue human shaped icon which was detected via "Device detection" function of Fortigate above.
・Device name (via FSSO Reverse lookup or device name) In FortiView > Summary View > Top source > "Device" field, FAZ shows FQDN name which was resolved via FSSO function of Fortigate unit, but if the name was not found at reverse lookup, FAZ uses "device name" information which was acquired via "Device detection" instead.
Why i have the device column the same for different source IPs , "Different source IPs have the same device name with the same mac address "
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.