I am monitoring the traffic from a Fortinet Fortigate 100E firewall and I am seeing the user name of a former employee whose local and domain accounts were deleted. I can't ask Fortinet support directly because they want me to register the device but it doesn't belong to me or my company, I'm an external analyst. Someone else asked the same question on the Fortinet community and got no response anyway.
I don't understand what the fields unauthuser , unauthusersource , dstunauthuser and dstunauthusersource refer to. The documentation does not provide any description.
For instance, here we see the Linux machine running a Zabbix Proxy pinging a Windows host:
Sep 16 09:43:22 10.100.6.60 date=2021-09-16 time=09:40:18 devname="(omissis)" devid="(omissis)" eventtime=1631778018785142954 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.1.22 identifier=34131 srcintf="lan" srcintfrole="lan" dstip=172.1.2.16 dstintf="dmz" dstintfrole="dmz" srccountry="Reserved" dstcountry="Reserved" sessionid=87825032 proto=1 action="accept" policyid=2 policytype="policy" poluuid="(omissis)" policyname="LAN1 to LAN3 all" service="PING" trandisp="noop" duration=62 sentbyte=252 rcvdbyte=252 sentpkt=3 rcvdpkt=3 appcat="unscanned" srchwvendor="Microsoft" osname="Linux" mastersrcmac="(omissis)" srcmac="(omissis)" srcserver=0 dsthwvendor="Microsoft" dstosname="Windows" dstswversion="10" dstunauthuser="XCX005123_admin" dstunauthusersource="kerberos" masterdstmac="(omissis)" dstmac="(omissis)" dstserver=0
The anomaly in this log line is:
dstunauthuser="XCX005123_admin" dstunauthusersource="kerberos"
The user XCX005123_admin does not exist anymore but even if it did, what does it have to do with a Linux machine pinging a Windows host?
How does the firewall actually retrieve such information, even if it were correct?
Not only that, I also have a bunch of RDP/3389 connections that are attributed to user XCX005123_admin where in reality it's someone else doing them.
Best Answer
A Fortigate uses an FSSO module (Fortinet Single Sign On) where these attributions are configured (part of Security Fabric for FortiOS 6.x). For instance, AD logins can be monitored by source IP via DC Agents (installed on Active Directory domain controllers).
Attibutions are resolved at the time of session creation. The FGT cannot look into the source host (without a terminal server agent), so the attribution might not match the actual user if the configuration isn't air-tight - e.g. when no verify method is used and DHCP leases change frequently, without static reservations, FSSO user attribution can be completely wrong. Windows client can use Workstation Verify via remote registry or WMI, but for Linux clients I have no clue.
An analysis in hindsight can get complicated very quickly, especially when things have changed. Feel free to add available details to the authentication and attribution configuration to your question (FSSO config on FGT, deployed DC agents and their config, ...) and we can see where that leads.