I have a question in understanding certain FortiAnalyzer logs, ver 6.4.7. Webfilter blocks access to a certain webpage and categorises is as Phishing. When I tested access and checked logs in FortiView, found the problematic entry, doubleclicked and went on like that to Top Threats > Source > Log View, then I see four lines. The destination IP has been shown as Fortiguard's 126.96.36.199. But what is the meaning of the Destination Name column entries on each line? I see different domain names there but are they related to the current phishing attempt by the website (that is, these names have been taken from the specific attempt to visit thoes websites so the names are taken from my browser's http/s request) or are those entries random names which also point to the same Fortiguard IP if I had tried to access them? I need to know this to understand whether the specific website which may be acutally harmless is any way related to those Destination Name column entries or not.
I ask this because I've often seen from network logs (syslog) that the destination name is not only the result of a possible PTR-check but it looks like Fortigate gets this relation between an IP and domain name from somewhere else. Because I've often seen network logs with one and the same (internal or external) IP-address but the destination name is different. In some cases, this has been even useful to understand what else may point to that (external) IP-address since a single PTR-check doesn't reveal it (because it's a hosting IP that has many websites and uninformative PTR record).