Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
M0onl1t
New Contributor

Created on ‎04-20-2020 04:22 PM

Meaning of unauthuser and unauthusersource

Hi, Can anyone tell me the meaning of unauthuser and unauthusersource in the logs? Oct 30 11:14:50 192.168.1.4 date=2013-10-30 time=11:14:50 devname=FG100D3 devid=FG100D3 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=" root" policyid=30 identidx=0 sessionid=21843402 srcname=" MacBook-MacBook-Pro-de-B.local" osname=" Mac OS X" osversion=" 10.8.5" [style="background-color: #ffff99;"]unauthuser=" bj" unauthusersource=" forticlient"[/style] srcip=192.168.32.8 srcport=60038 srcintf=" internal2" dstip=107.20.232.119 dstport=80 dstintf=" ISP-Colt" service=" http" hostname=" nagios.foo.net" profiletype=" Webfilter_Profile" profile=" default" status=" passthrough" reqtype=" referral" url=" /nagios3/images/comment.gif" sentbyte=633 rcvdbyte=187 msg=" URL has been visited" method=domain class="0" cat=255 In other logs appear dstunauthusersource and dstunauthuser, what is the meaning? Thanks so much

4848
0 Kudos
2 REPLIES 2
AtiT
Valued Contributor

Created on ‎11-23-2020 03:43 AM

I am also intrested in this. I can see logs with "unauthusersource="kerberos" and I can see users in the logs as unauthuser that contains username that is disabled and not belongs to any user group.

Where this unauthuser value comes from?

 

AtiT
--------------------
NSE 8, CCNP R+S

3228
0 Kudos
mricardez
Staff
Staff

Created on ‎01-04-2022 11:05 AM

The log entries are addressing the user login and login source from the device detection/identification feature (enabled at the interface).

 

- The logs of uthusersource="kerberos" is collected from traffic kerberos on the authentication process between a PC and AD.

- When FG has enabled Device detection on interfaces, the FG will inspect the PC authentication process against the AD (Kerberos traffic) and will record the username.

 

- Topology in LAB,

 

PC (192.168.79.1) -> Foritgate -> AD (192.168.78.1)

 

1: date=2022-01-04 time=10:45:13 eventtime=1641321913730103681 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.79.1 srcname="DESKTOP-OLGFQ84" srcport=51102 srcintf="vlan279" srcintfrole="lan" dstip=192.168.78.1 dstport=53 dstintf="vlan278" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=11460 proto=17 action="accept" policyid=2 policytype="policy" poluuid="c82d7686-6d84-51ec-255f-889aa12ee3b0" policyname="Vlan279To278" service="DNS" trandisp="noop" duration=192 sentbyte=310 rcvdbyte=62 sentpkt=5 rcvdpkt=1 appcat="unscanned" osname="Windows" unauthuser="user1" unauthusersource="kerberos" mastersrcmac="00:53:6d:6f:37:02" srcmac="00:53:6d:6f:37:02" srcserver=0 dstosname="Windows" dstswversion="8/8.1/10" masterdstmac="00:53:6d:6f:36:02" dstmac="00:53:6d:6f:36:02" dstserver=0


FGVM020000110916 # diagnose user device list
hosts
vd root/0 00:53:6d:6f:37:02 gen 9 req OA/24
created 4066s gen 3 seen 0s vlan279 gen 2
ip 192.168.79.1 src mac
os 'Windows' src dhcp id 848 weight 128
host 'DESKTOP-OLGFQ84' src dhcp
user 'user1' src kerberos

TAC Enginner
3036
Related Posts
View all
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.