Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Slim2
New Contributor

Created on ‎11-17-2023 01:21 AM Edited on ‎11-17-2023 01:31 AM

multiple ip address for one user in the log fortigate

Hello

 

we've found a problem with our FortiGate Firewall's traffic logs: the device and source IP address don't match, and each time we find the same device synchronized to a different IP address, knowing that all the machines are configured with static IP addresses.

Maybe it's good to know, the probelm occur after a migration from a FG-100E to an FG-100F

 

I add that we have good synchronization between the ip addresses of the machines and the ip addresses in the dns resolution. On the other hand, some users have more than one machine with the same AD session.

 

Here is a screen shot

1 (3).png

 

Thank you in advance

Labels:
714
0 Kudos
6 REPLIES 6
jhussain_FTNT
Staff
Staff

Created on ‎11-17-2023 03:19 AM

Hi,

 

Please let us know if the Fortigate device is behind a layer 3 device; if so, the same Mac address will be displayed for different devices.Kindly refer the below document.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Devices-are-not-identified-properly/ta-p/1...

 

Regards

Jamal

694
Slim2
New Contributor
In response to jhussain_FTNT

Created on ‎11-17-2023 05:02 AM

Hi,

 

It's the same for all user not just one user.

 

Regards

679
0 Kudos
Slim2
New Contributor
In response to jhussain_FTNT

Created on ‎11-22-2023 12:12 AM

Hi Jamal,

 

The issue in the link you sent do not match my issue.

and the problem is with all user not only one, the issue is that we have static adressing mode but multiple ip adresses are desplayed in the log for one machine and one user.

 

Regards

 

Best Regards

 

603
0 Kudos
jhussain_FTNT
Staff
Staff
In response to Slim2

Created on ‎11-22-2023 12:33 AM

Hi Slim2,

 

Can you download and  share the forward logs

 

Regards

Jamal

598
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎11-17-2023 03:37 AM

Dear Slim2,

in addition to Jamal's suggestion, you can also check the logs themselves to see where the user information is coming from. In particular, that username may have been discovered via device detection at some point, and thus become associated with various devices even if the username is no longer correct.

More information on usernames discovered via device detection:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-unauthuser-and-unauthusersource/ta-p...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
691
Slim2
New Contributor
In response to Debbie_FTNT

Created on ‎11-20-2023 02:02 AM

Hi Debbie,

 

Here is the Network architecture and it's the same issue with all the users and not only one.

And how it's possible that each time we find the same device synchronized to a different IP address when we have a static adressing mode ?

 

Best Regardsarchitecture.PNG

641
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.