Know Who’s Behind the IP: Enrich Trisul Flows with Internal Hostnames Using FortiGate Connector

Are you a small or medium business with a Fortinet firewall?
Here’s a simple and free way to dramatically increase your internal network visibility- by combining your FortiGate logs with Trisul’s flow analytics using the Trisul FortiGate Connector App, part of Trisul Apps collection on GitHub

With just a few clicks, you can start seeing real hostnames instead of anonymous internal IP addresses across your network dashboards, alerts and historical flows— all inside Trisul NetFlow Analyzer.

The best part? The FortiGate Connector App is free to use and takes just minutes to set up.

First, Set Up your Fortinet Firewall to Send Logs

Before you can use the FortiGate Connector App in Trisul NetFlow Analyzer, you need to configure your FortiGate firewall to forward DHCP logs via syslog. It only takes a minute.

1. Log in to your FortiGate firewall
2. Navigate to Log & Report -> Log Config -> Log Settings.
3. In the Logging and Archiving section, enter the IP address of your Trisul server.
4. Enable all relevant event logging by checking the necessary boxes- especially those related to DHCP and system activity.
5. Click Apply to save your settings

That’s it! Your FortiGate will now start sending DHCP logs to Trisul in real time

In complex enterprise and ISP networks, internal IP addresses often appear in flow analytics with little context. Without hostname resolution, investigating threats, understanding usage, or tracing anomalies becomes time-consuming. Wouldn’t it be great if your network analytics tool could show you hostnames instead of just raw IPs?

With Trisul, its not only possible, its easy.

Introducing the FortiGate Connector App for Trisul

If you’re running a FortiGate firewall in your network, Trisul’s FortiGate Connector App bridges the gap between security logging and network analytics. This app pulls in real-time security logs and enriches your flow data with meaningful context, starting with hostnames.

Why Hostname Resolution Matters: An Analogy

Imagine trying to investigate a crime in a city where every person only wears a number tag— no names, no IDs, just numbers. Thats what analyzing flow logs with only internal IPs feels like. Now imagine you could instantly translate those numbers into real names: “Arvind from TCS”, “Reception Printer”, or “R&D Server”. Thats exactly what hostname resolution does for your network analytics.

Now with a real-world example, Say you’re monitoring internal traffic and spot a surge of connections from 192.168.1.57. Normally you’d need to dig through logs or DHCP leases to identify the device. With the FortiGate Connector app and DHCP-to-Syslog mapping enabled, Trisul tells you right away: “printer-lab-3.local” is the source. No guesswork. No delay.

How it Works?

1) Install the FortiGate Connector app by logging in as admin and navigating to: Web Admin → Manage → Apps

2) Configure your DHCP server (on FortiGate) to send DHCP logs to Trisul via Syslog. (You’ve already done this in the first step!)

The app automatically parses the DHCP logs and maps IP addresses to hostnames in real time. Trisul updates its internal resolution tables, so in all dashboards, reports and alerts. You can just sit back and watch hostnames appear across your dashboards.

What This Means for You?

• Faster Investigations

You can imediately recognize devices by name instead of having to trace IP allocations manually

• User-centric Analytics

Associate flow behavior with known users or departments

• Smarter Alerts

Alarms involving hostnames provide more actionable context for NOC/SOC teams

Conclusion

Let’s face it—no one likes digging through spreadsheets or DHCP leases just to figure out who’s behind an IP. With just a few minutes of setup, your Fortinet firewall and Trisul NetFlow Analyzer can work together to give you deep, enriched visibility into your internal traffic. The FortiGate Connector App is free, easy to install, and immediately improves the clarity of your flow analytics by resolving hostnames in real time.