We are utilising the FSSO Agent to identify the logged in users and match them to traffic. In the traffic logs we have one user that seems to be matching to multiple IP addresses that are in different geographic locations.
What's also interesting is the MAC that's showing is a Cisco router.
The related device seems to be appearing in the fabric topology.
I have no idea how it's relating the device and user.
I'm only fairly new on Fortigates so a bit perplexed..
Any thoughts?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is information gathered via device-indentification. (looking at SMB/Kerberos/DHCP/etc traffic to identify device/version/user/etc.)
Device identification works best/properly only when the endpoints have layer-2 connectivity up to the FortiGate. You seem to have a router in-between, causing all of these devices to appear with the same MAC address (the router's), which is know to throw things off.
Note that is info is not used for policy decisions (FSSO is still used for that), so this is "only cosmetic" and has no impact on what is allowed/blocked by firewall policies.
This is information gathered via device-indentification. (looking at SMB/Kerberos/DHCP/etc traffic to identify device/version/user/etc.)
Device identification works best/properly only when the endpoints have layer-2 connectivity up to the FortiGate. You seem to have a router in-between, causing all of these devices to appear with the same MAC address (the router's), which is know to throw things off.
Note that is info is not used for policy decisions (FSSO is still used for that), so this is "only cosmetic" and has no impact on what is allowed/blocked by firewall policies.
Thanks. That makes a lot of sense.
In addition to what @pminarik said, only non-FSSO users behind a router will be shown like that. The FSSO users will be shown correctly with the user id even behind a router.
As far as FGT can't identify the users it can't show the right user id, so to avoid that you have to implement any identification mechanism, like FSSO, active portal (and RSSO probably as well).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.