Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wotik
New Contributor III

Fortianalyzer - "Source" format in "Traffic"

Hello

How can I change the format of the "Source" value in "Log view" -> "FortiGate" -> "Traffic" from e.g. "0d42e9ab-05es-4202-bg6a-7r937cstff36" to an IP address? Some of the endings are represented by an IP address, and some by such an identifier as above. What it comes from?

001.png

 

 

Best Regards,
Wojtek
Best Regards,Wojtek
1 Solution
srajeswaran

Can you try the auto-script configuration?

 

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-unit-detection-identification-data-do-...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

12 REPLIES 12
Anthony_E
Community Manager
Community Manager

Hello Wojtek,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
wotik
New Contributor III

@Anthony_E - Has anything been found out?

Best Regards,
Wojtek
Best Regards,Wojtek
srajeswaran
Staff
Staff

This looks like UUID, can you check if you have the below config enabled on the fortigate, if so please disable and check?

 

config system global	
   set log-uuid-address enable
   set log-uuid-policy enable
end

 

Ref:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/313871/source-and-destinatio...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

wotik
New Contributor III

@srajeswaran  - I have the default value, i.e. log-uuid-address I have disabled

Best Regards,
Wojtek
Best Regards,Wojtek
srajeswaran

Can you share the raw log for one of these?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

wotik
New Contributor III

Hello,

 

The Source column is srcname=02324cbd-e1df-495f-8c88-74e98e918474.

 

date=2023-02-21 time=13:05:10 id=7202579023459778565 itime=2023-02-21 13:05:10 euid=3 epid=1062 dsteuid=3 dstepid=101 type=traffic subtype=forward level=notice action=accept policyid=19 sessionid=2114816 srcip=MY_IP_LAN dstip=216.239.32.116 transip=MY_IP_WAN srcport=58637 dstport=443 transport=58637 trandisp=snat duration=139 proto=6 sentbyte=4509 rcvdbyte=8890 sentdelta=4509 rcvddelta=8890 sentpkt=26 rcvdpkt=25 logid=0000000020 srcname=02324cbd-e1df-495f-8c88-74e98e918474 service=Google-Gmail app=Google.Services appcat=General.Interest srcintfrole=lan dstintfrole=wan srcserver=0 appid=42533 appact=detected apprisk=elevated policytype=policy eventtime=1676981110095095080 poluuid=1a4d0300-040c-51ed-ecdf-c719b12820bd srcmac=MAC_ADDRESS mastersrcmac=MAC_ADDRESS srchwvendor=ASUS srcswversion=10 osname=Windows srccountry=Reserved dstcountry=United States srcintf=internal dstintf=wan2 dstinetsvc=Google-Gmail applist=_standardowyAPP_mr policyname=WWW.FTP.PPTP_mr tz=+0100 dstregion=California dstcity=Mountain View dstreputation=5 devid=FGTXXX vd=root dtime=2023-02-21 13:05:10 itime_t=1676981110

 

Although this is not always the case. Currently is srcname=NAME_MY_COMPUTER

 

date=2023-03-06 time=08:31:17 id=7207332551529070594 itime=2023-03-06 08:31:17 euid=3 epid=1062 dsteuid=3 dstepid=101 type=traffic subtype=forward level=notice action=accept utmaction=allow policyid=19 sessionid=3646215 srcip=MY_IP_LAN dstip=142.250.203.138 transip=MY_IP_WAN srcport=59499 dstport=443 transport=59499 trandisp=snat duration=186 proto=17 sentbyte=13223 rcvdbyte=22016 sentpkt=28 rcvdpkt=43 logid=0000000013 srcname=NAME_MY_COMPUTER service=Google-Web app=QUIC appcat=Network.Service srcintfrole=lan dstintfrole=wan srcserver=0 appid=40169 appact=detected apprisk=low policytype=policy eventtime=1678087877445394150 countapp=2 countweb=1 poluuid=1a4d0300-040c-51ed-ecdf-c719b12820bd srcmac=MAC_ADDRESS mastersrcmac=MAC_ADDRESS srchwvendor=ASUS srcswversion=10 osname=Windows srccountry=Reserved dstcountry=Poland srcintf=internal dstintf=wan2 dstinetsvc=Google-Web applist=_standardowyAPP_mr policyname=WWW.FTP.PPTP_mr hostname=safebrowsing.googleapis.com catdesc=Information Technology tz=+0100 dstregion=Masovian dstcity=Warsaw dstreputation=4 devid=FGTXXX vd=root dtime=2023-03-06 08:31:17 itime_t=1678087877

Best Regards,
Wojtek
Best Regards,Wojtek
srajeswaran

Can you try the auto-script configuration?

 

Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-unit-detection-identification-data-do-...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

wotik
New Contributor III

Hello,

 

For now, I used "diag user device clear" and all "Source" took the form of IP addresses. After some time, some of the records in "Source" still have IP addresses, and some of the host name. I honestly admit that I would prefer to unify it somehow (I would only prefer IP addresses)...

Best Regards,
Wojtek
Best Regards,Wojtek
srajeswaran

If you prefer IP address, can you turn off the device identification/detection from the interface?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors