Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

How to understand if it was FortiGate or FortiClient that blocked the traffic?

Hello everybody,

on my PC I've FortiClient, and in my network I have a Fortigate. Essentialy, regarding web filtering, FortiClient and Fortigate have the same settings and the same exceptions.

When I visit a "tobacco" site, this site is correctly blocked. Reading the logs, how can I understand if the site was blocked by FortiGate or by FortiClient?

 

date=2024-07-23 time=14:26:54 id=7394806744431460361 itime="2024-07-23 14:26:54" euid=1026 epid=1030 dsteuid=3 dstepid=101 logflag=3 logver=702081639 type="traffic" subtype="forward" level="notice" action="close" utmaction="block" policyid=6 sessionid=6330623 srcip=10.1.10.31 dstip=104.26.14.200 transip=192.168.1.4 srcport=55936 dstport=443 transport=55936 trandisp="snat" duration=140 proto=6 sentbyte=220 rcvdbyte=4659 sentdelta=104 rcvddelta=260 sentpkt=4 rcvdpkt=13 logid=0000000013 unauthuser="xyz" srcname="MacBook_Pro" service="HTTPS" app="SSL" appcat="Network.Service" fctuid="92CB99E956C6570AB48FD3B7E84960C7" srcintfrole="lan" dstintfrole="wan" srcserver=0 appid=15895 apprisk="elevated" policytype="policy" channel=136 eventtime=1721737613696228599 countapp=1 countweb=1 poluuid="67bbad66-d1b1-51ee-0ba8-5ba3e058aba7" srcmac="5c:e9:1e:95:c6:c9" mastersrcmac="5c:e9:1e:95:c6:c9" srccountry="Reserved" dstcountry="United States" srcssid="xyz" srcintf="NTD FNet WiFi" dstintf="wan1" unauthusersource="forticlient" applist="default" radioband="802.11ax-5G" policyname="WiFi to WAN" ap="FP231FTF23069003" apsn="FP231FTF23069003" hostname="www.vaporoso.it" catdesc="Tobacco" saasinfo=0 apps=SSL tz="+0200" signal=-52 snr=43 srcremote=79.10.64.49 devid="FGT60FTK23099PH2" vd="root" utmref="BAYQAAAIAAAB3CgCAAAGhn2YBoZ9mcggAgAABoZ9mAaGfZg==" dtime="2024-07-23 14:26:54" itime_t=1721737614 devname="ntd-fg"

RDP
RDP
1 Solution
spoojary
Staff
Staff

In the log entry you provided: - If the "unauthusersource" field shows "forticlient," then the site was blocked by FortiClient. - If the "unauthusersource" field does not mention FortiClient and the action is "block," then the site was blocked by FortiGate.

Siddhanth Poojary

View solution in original post

2 REPLIES 2
spoojary
Staff
Staff

In the log entry you provided: - If the "unauthusersource" field shows "forticlient," then the site was blocked by FortiClient. - If the "unauthusersource" field does not mention FortiClient and the action is "block," then the site was blocked by FortiGate.

Siddhanth Poojary
ozkanaltas
Valued Contributor III

Hello @raffaeledp ,

 

If you saw that log on FortiGate, it means FortiGate is blocking traffic. If the opposite happened, that is, the log occurred on ForticlientEMS, this means that the traffic was blocked by Forticlient.

 

Usually web filtering is configured as on-fabric and off-fabric. You may have a configuration like this. So, if the client is under FortiGate protection in the office, you may have set the web filtering feature on FortiClient not to work.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors