Hello,
My FGTs (two different models with latest firmware) are logging with a strange behaviour:
All traffic from every public IP toward different servers in DMZ are logging with the same MAC address. I don't know if it is some ISP device before the firewall. Fortigate BINDS this ip to the first logging user (to a mail server ie) and EVERY IP connecting has that user as an "unathenticated user".
This kind of traffic has NOTHING to do with that user but it keeps match that first login MAC Address to that user.
This thing is driving me crazy because I have weird and not trustworthy reporting (having an user doing 98% of my traffic is something not affordable :))
i opened a ticket and the reply was the default pre-constructed answer: "check your mail system, etc etc", this has nothing to do with mail servers.
I suspect it is the option in the network port "detect and identify devices". I just disabled and i will let you know
it's confirmed: it was that option on network interface that forces FGT to look at a MAC-address <-> user match
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1864 | |
1137 | |
769 | |
447 | |
265 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.