Hi Ricky, thank you for your report.
>If I search the traffic logs, there is nothing from 198.x.x.x so not sure where they are coming from.
The device data from device inventory list is from the FGT's device detection engine which is scanning incoming packets on the interfaces via various protocols. However, not all traffic will have logs as it depends on if logging is enabled in forward traffic policies. Some endpoint data are also retrieved from FortiClient/EMS and FortiAP/FortiSwitch so they are not necessary generating pass-through traffic.
You can review the device inventory data via the following commands. The first command should tell you which interface the device was seen on, from how long ago, and from which protocol (via "src").
"diagnose user device list"
"diagnose user device stats"
You can also clear the list and monitor if they come back
"diagnose user device clear"
Thanks for the tips, I have logging on all my internal rules at present. I don't have any Fortiswitch or other Fortigate products on this test network either.
I ran the "diagnose user device list" and see lots of these 198.x.x.x entries (198.x.x.x isnt on my internal LAN), a few examples are below but there are hundreds. :
vd root/0 46:b9:fa:7d:f7:53 gen 66156 req OHUSA/3e
created 77897s gen 66155 seen 77897s internal gen 343
ip 188.8.131.52 src arp
vd root/0 52:ec:4b:df:9c:3e gen 96567 req OHUSA/3e
created 34520s gen 96566 seen 34520s internal gen 463
ip 184.108.40.206 src arp
vd root/0 f0:e4:7f:65:fa:11 gen 51644 req OHUSA/3e
created 96440s gen 51643 seen 96440s internal gen 281
ip 220.127.116.11 src arp
I also see my valid 192.168.1.x entries, which some of which are src arp and some src http.
If I show the arp table there are only 192.168.1.x entries.
"diagnose user device stats" shows :
Home # diagnose user device stats
I rebooted yesterday which initially cleared all the 198.x.x.x addresses but they soon started coming back !
I also ran a network packet capture, on the fortigate GUI, on the internal interface for a few hours and it only picked up a few valid requests from internal devices (192.168.1.x) to 198.x.x.x addresses on the internet (Windows update I think).