I have a client who use FAZ and ask me a question :
I have weekly a report High Bandwidth Application Usage.In this report, we notice that :
"NOCLUGNA" is a user on his network. But he has 45 other users on the network.
I guess they are in the remaining 99,8%
But do you have any idea why only this user emerges in this report and not the other ?? :\
I read several articles about that. They often talk about LDAP configuration, but in his firewall there is no LDAP configuration :\
If someone has an idea or can explain to me
Only if the user information comes to firewall some or other way, it will show in forward traffic logs.
From there reports will be generated.
If there is no ldap, may be users are logged in through captive portal local users or through FSSO or any other authentication mechanism.
Please check and keep us posted
if there is no authentication setup on the FortiGate at all, then user information may come from device detection.
You can verify in the raw logs if the user information comes from authentication activity or device detection
-> if the username is logged in 'user' field, then the information comes from some kind of authentication (captive portal, FSSO - though then the name would be in capital letters, VPN, etc)
-> if the username is logged in 'unauthuser' field, then the information comes from device detection and there's not much we can do about that
We have a KB on device detection and unexpected usernames:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.