Source Users and Source Users Reported as "None" By FW

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Source Users and Source Users Reported as "None" By FW

L1 Bithead


I'm on version 8.1.2,  in ACC tab I do have a User Activity "widget" or pane that shows Source User, Destination User, Bytes, Sessions, Threats, Content, URLs and Apps. Always the Source User, presents "None" for Source User and also I see "None" for the Destination User with the most number bytes  sent (or could be received). I do have valid user names (such as jdoe) for Destination User but:

1) Why do I see Source User reported as None (and not a valid user name)?

2) Why the the first (the entit with thight transfered bytes) Destination Users is alwasy reported as None?


Thanks for taking a shot at answering these questions (in advance).




Accepted Solutions

Thanks BPry.

Makes sense.

View solution in original post


Cyber Elite
Cyber Elite


The reason your seeing 'None' is because the firewall doesn't having a mapping for the source/destination address. One would expect that the majority of traffic in your average network would be None, as the destination address wouldn't have a user mapping.

The same holds true for the the source-user mapping. If you allow traffic in from the outside users, say if hosting a web server, you wouldn't have source-user information (you could but only in a relatively limited situation). Guest traffic is also a huge source  of source-user 'None' traffic if you have that on your network, or Windows updates running in the evenings once the user-id mapping has aged-out. 


There's a tone of reasons why this would be the case, and these are only a few examples. Really it would be up to you to analyze your logs files and see what exactly is being logged and where the traffic is coming from. 

Thanks BPry.

Makes sense.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!