Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ARG
New Contributor

Created on ‎01-11-2024 05:45 PM Edited on ‎01-11-2024 06:07 PM

Traffic logs showing a user associated with many different IP addresses

We are utilising the FSSO Agent to identify the logged in users and match them to traffic. In the traffic logs we have one user that seems to be matching to multiple IP addresses that are in different geographic locations.

 

What's also interesting is the MAC that's showing is a Cisco router.

 

Logs.jpg

The related device seems to be appearing in the fabric topology.

device.jpg

I have no idea how it's relating the device and user.

I'm only fairly new on Fortigates so a bit perplexed..

Any thoughts?

Labels:
401
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎01-12-2024 02:12 AM Edited on ‎01-12-2024 02:13 AM

This is information gathered via device-indentification. (looking at SMB/Kerberos/DHCP/etc traffic to identify device/version/user/etc.)

Device identification works best/properly only when the endpoints have layer-2 connectivity up to the FortiGate. You seem to have a router in-between, causing all of these devices to appear with the same MAC address (the router's), which is know to throw things off.


Note that is info is not used for policy decisions (FSSO is still used for that), so this is "only cosmetic" and has no impact on what is allowed/blocked by firewall policies.

[ corrections always welcome ]

View solution in original post

377
3 REPLIES 3
pminarik
Staff
Staff

Created on ‎01-12-2024 02:12 AM Edited on ‎01-12-2024 02:13 AM

This is information gathered via device-indentification. (looking at SMB/Kerberos/DHCP/etc traffic to identify device/version/user/etc.)

Device identification works best/properly only when the endpoints have layer-2 connectivity up to the FortiGate. You seem to have a router in-between, causing all of these devices to appear with the same MAC address (the router's), which is know to throw things off.


Note that is info is not used for policy decisions (FSSO is still used for that), so this is "only cosmetic" and has no impact on what is allowed/blocked by firewall policies.

[ corrections always welcome ]
378
ARG
New Contributor
In response to pminarik

Created on ‎01-14-2024 05:40 PM

Thanks. That makes a lot of sense.

339
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-12-2024 02:40 AM

In addition to what @pminarik said, only non-FSSO users behind a router will be shown like that. The FSSO users will be shown correctly with the user id even behind a router.

As far as FGT can't identify the users it can't show the right user id, so to avoid that you have to implement any identification mechanism, like FSSO, active portal (and RSSO probably as well).

AEK
AEK
372
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.