I've noticed a behavior this week that I have seen once and then when the live log suddenly starts showing wrong source IP addresses in the firewall log.
I think this was a bigger issue years ago but I thought this would eventually be fixed already.
Of course I cannot recreate it and searching for this is not as easy.
SFOS is 21.0
In this example I was searching for the username (heartbeat auth).
The user was working outside the office via SSL VPN. In the midlde of the logs I found wrong source IP from a LAN network. The LAN is a VLAN on the XGS lag0 and is only available in the building where the user wasn't physically. Also the user was not logged on a computer with that source IP. In fact the user never works physically on this company site.
Destination IP was to one of our DMZ IP routed by another firewall.
Quote