I have been asked to see who had a certain IP address from an IP pool at a given date/time. I know the NAT'd IP address but I want to try and work out which device was issued it.
We have FortiAnalyser but there's nothing in there from the "Source IP" address when I use the NAT'd address. Is there any other options with the FortiGate or FortiAnalyser to get this information out?
If it was assigned via dhcp by your FGT you could look into the lease table (exec dhcp lease list) on cli. This is not available in the gui. But this will only contain the assignment until the lease's ttl runs out. If the lease ttl is up the lease gets deleted and you will not see it anymore.
Anyhows: the lease will maybe provide you with a hostname but maybe it could also only give you a mac-address...
Static IPs can practically not be looked up anywhere but on the device they're set up on.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for the reply, yeah that's right, I want to know the sender's original IP.
Sadly the internal IP addresses come from our Windows DHCP server and not the FortiGate. This is related to the NAT IP Pool and not DHCP - and what IP address the device was given when he went through the NAT'ing process...
As an example using made up IP addresses...
Device A internally = ?.?.?.? (it could be 10.0.0/8)
Device A when going through the NAT IP Pool = 10.6.239.0/24
Device B sees Device A's IP address which is 10.6.239.73 - and the Admin of Device B tells me this IP address, however I need to know the internal IP address (or whatever I can get) of Device A and not the NAT IP address.
ok thanks, it was a bit of a weird case because of overlapping IP addresses - I hadn't used them either but it seems to have worked around our problem - now I just need to work out how I can see who was given what :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.