08-07-2018 11:57 AM
I'm on version 8.1.2, in ACC tab I do have a User Activity "widget" or pane that shows Source User, Destination User, Bytes, Sessions, Threats, Content, URLs and Apps. Always the Source User, presents "None" for Source User and also I see "None" for the Destination User with the most number bytes sent (or could be received). I do have valid user names (such as jdoe) for Destination User but:
1) Why do I see Source User reported as None (and not a valid user name)?
2) Why the the first (the entit with thight transfered bytes) Destination Users is alwasy reported as None?
Thanks for taking a shot at answering these questions (in advance).
08-07-2018 08:21 PM
The reason your seeing 'None' is because the firewall doesn't having a mapping for the source/destination address. One would expect that the majority of traffic in your average network would be None, as the destination address wouldn't have a user mapping.
The same holds true for the the source-user mapping. If you allow traffic in from the outside users, say if hosting a web server, you wouldn't have source-user information (you could but only in a relatively limited situation). Guest traffic is also a huge source of source-user 'None' traffic if you have that on your network, or Windows updates running in the evenings once the user-id mapping has aged-out.
There's a tone of reasons why this would be the case, and these are only a few examples. Really it would be up to you to analyze your logs files and see what exactly is being logged and where the traffic is coming from.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!