Support Center

Understanding How Fastvue Reporter shows Users (or hostnames or IP addresses)

Last Updated: Jun 14, 2019 08:41AM PDT
It is important to understand how Fastvue Reporter determines what to display in the 'Users' section of its reports, dashboards and alerts, as you may see a mix of Active Directory display names, raw authenticated usernames, source IPs, as well as resolved hostnames/machine names.

For example, you may see all of the following in the 'Top Users' section:
  • John Snow
  • j.snow
  • jsnows-pc.mydomain.local
  • 192.168.1.2
What Fastvue Reporter displays as the 'user' for any log record received from FortiGate depends on how your FortiGate is authenticating traffic, as well as the Fastvue Reporter machine's ability to query Active Directory and/or resolve IPs.

Authenticating Users with Fortinet FortiGate

Ideally, you would authenticate all traffic going through FortiGate so that it can be logged and correlated to a specific user. However, there is traffic is not 'user' related, such as system updates, and there may be default policies or exceptions in place to exclude this type of traffic from authentication, as well your own custom policies to exclude guest networks and BYOD devices for example.

Fastvue Reporter is not in the business of making up stories, so it will only show a username for authenticated traffic logged by FortiGate.
 

Showing Active Directory Display Names

When an authenticated username is logged by Fortigate, Fastvue Reporter goes one step further and uses the information it has automatically imported from Active Directory to display that user's Display Name in Reports, Dashboards and Alerts.

For example, if FortiGate logs j.snow as the authenticated username, Fastvue Reporter will show John Snow instead.

Furthermore, when running User Overview Reports or when filtering your reports by Users, Departments, Offices, or Security Groups, Fastvue Reporter presents a picklist of users (or departments, offices etc) to choose from. Filtering a report by selecting a User, Department, Office or Security Group will only return data if FortiGate has authenticated the user's traffic.

If Fastvue Reporter is installed on a server that is a member of your domain, it will automatically query your default domain controller for the information required to map logged authenticated usernames to real people in Active Directory.

If needed, you can customize how Fastvue Reporter queries your Active Directory server in Settings | Directory / LDAP. This is useful if Fastvue Reporter is not installed on a member of the Domain that the FortiGate is authenticating against, or if you need to import information from more than one domain/server.
 

Showing Raw Authenticated Usernames

If Fastvue Reporter cannot query a directory server, such as in the case it is not installed on a member of a domain, then Fastvue Reporter will show the raw authenticated username if this is logged by FortiGate. 

For example, if FortiGate logs j.snow as the authenticated username and Fastvue Reporter cannot query a directory server, it will display j.snow in the Reports, Dashboards and Alerts.
 

Showing Resolved Hostnames / Machine Names

If you have not configured authentication on your FortiGate, and for any traffic that is excluded from authentication, such as system updates, guest networks, BYOD devices etc, FortiGate will not be able to log a user for this traffic.

FortiGate may log a hostname for the traffic (if it is configured to do so), in which case Fastvue Reporter will display the hostname as logged by FortiGate. For example, if FortiGate logs no username, but logs the resolved hostname jsnows-pc.mydomain.local, then Fastvue Reporter will display jsnows-pc.mydomain.local as the 'User' in Reports, Dashboards and Alerts.

If no hostname is logged, and no username is logged, FortiGate will always at least log a Source IP address for the traffic.

In the situation where only a source IP has been logged, Fastvue Reporter will attempt to look up the Source IP address via Netbios then Reverse DNS. If a hostname is successfully returned, it will be displayed as the 'User' in reports, dashboards and alerts.

For example, if FortiGate logs no user or hostname, but logs a source IP of 192.168.1.2, the Fastvue Reporter machine will first look up the IP via Netbios, then Reverse DNS and display whatever is returned as the 'User', such as jsnows-pc.mydomain.local.
 

Showing IP Addresses

You have probably guessed by now, that if FortiGate has not logged a user or a hostname, and if the Fastvue Reporter server cannot resolve the logged source IP address to a machine name or hostname via netbios or reverse DNS, then there's not much else that can be done to determine the identity of the traffic.

In this 'worst case' scenario, Fastvue Reporter will display the Source IP as the User in Reports, Dashboards and Alerts, for example, 192.168.1.2.

Troubleshooting

If you're seeing a large amount of IP addresses or hostnames in your Reports, Dashboards and Alerts in Fastvue Reporter, verify no usernames are being logged by FortiGate in Log and Report | Web Filter and checking the 'User' column.

Select a column with no User and click the Details button to view the Web Filter Profile and check the Policy number associated. Go to Policy and Objects | IPv4 Policy and think about applying this policy to 'User' objects instead of 'all' or 'network/subnet' objects, or create a new policy that applies this Web Filter Policy to the desired 'User' objects.

If it is not feasible to authenticate the traffic, check your FortiGate documentation, or inquire with your local FortiGate support representative on how to ensure your FortiGate resolves and logs internal hostnames.

To verify that the Fastvue Server can resolve IP addresses, log into your Fastvue Server and run the command nslookup {ip address} - where {ip address} is one of the IPs you're seeing in the reports. This should confirm if the Fastvue Server can resolve the IP or if further DNS configuration is required.

Reporting on Users with Authentication Enabled

As mentioned above, when running User Overview Reports or when filtering your reports by UsersDepartmentsOffices, or Security Groups, Fastvue Reporter presents a picklist of users (or departments, offices etc) to choose from.

Filtering a report by selecting a User, Department, Office or Security Group will only return data if FortiGate has authenticated the user's traffic.

This is one of the most common reasons to receive a report with no data. Even if FortiGate or Fastvue Reporter has logged a resolved Hostname, filtering a report by selecting an Active Directory user from the picklist will generate a blank report.

In these situations, you need to type the Source IP or the Hostname of the User's machine into the filter value boxes instead of picking someone from the list. You can use Saved Filters to make this a little easier (see below).
 

Reporting on Users without Authentication Enabled

It is possible to map IPs and hostnames to users using Saved Filters in Fastvue Reporter. This is best done if your network uses Static IPs, or if your sure hostnames are reliably logged. To do this:
  1. Go to Settings | Saved Filters and click Add Filter.
  2. Give the Filter a name such as John Snow.
  3. Select the criteria:
  4. User Equal to j.snow, jsnows-pc.mydomain.local, 192.168.1.2 (replace with any known value for this user. Press enter after typing each one)
    Saving Filters for Unauthenticated Users
     
  5. Click Save Filter. 
‚ÄčThis filter is now available any time you want to run a report on this user. To do this
  1. Go to Reports | Overview Report | Internet Usage (or any other desired report)
  2. Click the Filter button.
  3. Click the Load Filter button and select John Snow from the drop-down list.

    Selecting Saved Filters
  4. The Saved Filter will then be added into the Filters list. You can select your desired Date Range and click Run Report or Schedule Report.

But a much better solution is to set up authentication on your FortiGate to log and report on users correctly. 

 

Contact Us

  • Post a Public Question
  • Email Us
  • Chat with us

    Call Us @ 888.885.6711
support@fastvue.co
http://assets2.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete