Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yamamoto
New Contributor

[FortiView] Source IP of Top source: Some has user name, and some doesn't

In FortiVeiw > Summary View > Top Source:

 

Some users show their IP address as source. I mean their IP address only.

But some have their username like "192.168.1.71 (nakahira)" beside it.  What is the reason? 

 

And in that case, they have human shaped icon on the leftside.

What dose this mean?  

 

 

11 REPLIES 11
yamamoto
New Contributor

Thank you all for your kind assistance.

 

This is what I found about what I asked at this moment.

Is my understanding written below correct?

 

 

 

 [from Fortigate CLI]  

 

#diag user device list

We can actually see how device is detected..

 

vd 0 (MACaddress) 3 gen 225296 req 2c redir 0 last 106790s port1 host 'iPhone' src dhcp

vd 0 (MACaddress) gen 192525 req 0 redir 0 last 503786s port1 ip 192.168.1.75 type 8 'Windows PC' src configured c 1 gen 31159 os 'Windows' version '' src http id 1883 c 1 host 'Wsn25' src dhcp user 'SAKAMOTO' src auth

 

vd 0 (MACaddress) gen 192492 req 10 redir 0 last 146s port1 ip 192.168.1.240 type 8 'Windows PC' src configured c 1 gen 31126 os 'Windows' version '8.1' src http id 1824 c 1 user 't-eguchi' src pop3

 

vd 0 (MACaddress) gen 1611 req 0 redir 0 last 99708s internal ip 192.168.2.216 type 8 'Windows PC' src dhcp c 1 gen 1561 os 'Windows' version '' src dhcp id 24 c 1 host 'Wsn07' src dhcp user 'k-sato' src kerberos

 

 

 

 [below is what I learnt this time!]  

 

■Fortigate

 

・Device name (=host name)

src dhcp ⇒ via arp broadcast?

 

When "Device deteciton" is enabled and if the fortigate could detects hostname via arp broadcast frame, They will be shown as device name in the "device" field.

 

src kerberos?? ⇒ There may be some other way to detect device's information.

 

 

・User name

 

1)src pop3

When "Device detection"is enabled and when fortigate could catch their infomation inside the pop3 packet, the fortigate treat it as username and shows it in the "user" field with red human shaped icon. (unofficial)

 

2)src auth

When "User authentication" is used inside the fortigate unit, in this case SSL-VPN, the fortigate

treat it as username and shows it in the "user" field with blue human shaped icon.

 

・The name beside the IP address

When "FSSO" is enabed and when the username was resolved by DNS reverse lookup, the Fortigate shows it beside the IP address. In the "Source IP" feild for example.

 

 

 

■Fortianalyzer

 

・The name beside the IP address In FortiView > Summary View > Top source > "Source IP" field, FAZ shows username beside the IP address with blue human shaped icon which was detected via "Device detection" function of Fortigate above.

 

 

・Device name (via FSSO Reverse lookup or device name) In FortiView > Summary View > Top source > "Device" field, FAZ shows FQDN name which was resolved via FSSO function of Fortigate unit, but if the name was not found at reverse lookup, FAZ uses "device name" information which was acquired via  "Device detection" instead.

 

 

 

 

 

 

mona
New Contributor

Why i have the device column the same for different source IPs , "Different source IPs have the same device name with the same mac address "

Top Kudoed Authors