FortiGate I

Logging and Monitoring

FortiGate 5.2.1 Last Modified: December 5, 2023 1

Objectives

• Understand log severity levels

• Recognize the available log storage locations
• Describe the different log types and subtypes
• Understand log structure and behavior
• Configure log settings
• Understand the impact of logs on resources
• Describe how to view log messages
• Describe how to search and interpret log
messages

2
Logging & Monitoring

• Monitor network and Internet

traffic volumes
• Diagnose problems
• Establish normality baselines
to recognize anomalies

3
Log Severity Levels

• Administrators define what type of logs are recorded

• All log messages have a severity level to help indicate the
importance of the event
o Emergency  System unstable
o Alert  Immediate action required
o Critical  Functionality affected
o Error  Error exists that can affect functionality
o Warning  Functionality could be affected
o Notification  Information about normal events
o Information  General system information
o Debug  Debug log messages

4
Log Storage Locations

FortiCloud
Syslog SNMP
Hard drive

Memory FortiAnalyzer
FortiManager

Local logging
Remote logging

5
Storage: FortiAnalyzer/FortiManager

FortiGate

FortiAnalyzer/FortiManager
Register

• FAZ/FMG has list of Registered (allowed) devices

• SSL-secured OFTP used to encrypt communications

6
FortiAnalyzer vs. FortiManager

• FortiAnalyzer – Long term, dedicated storage of log data

• FortiManager – Centrally manage multiple FortiGate devices
• Can also store logs and generate reports
• Identical to FortiAnalyzer except for 2 GB daily limit on logs received\

7
FortiAnalyzer/FortiManager: Configuration

• Can configure up to 3 separate FortiAnalyzer/FortiManager

devices through the CLI
o Multiple devices may be needed for redundancy
o Generating & sending logs requires resources – be aware!

config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting

set status enable
set server x.x.x.x
end

8
Storage: FortiCloud

• Subscription service
o Long term log storage & reporting o FortiGates include one month free trial
o Links to FortiCare user o See documentation

9
Types and Subtypes

• Traffic Log
• Forward (Traffic passed/blocked by Firewall policies)
• Local (Traffic aimed directly at, or created by the FortiGate
device)
• Invalid (Log messages about packets considered
invalid/malformed and dropped)
• Multicast (Log messages about Multicast traffic)
• Event Log
• System (System related events)
• User (Firewall authentication events)
• Router, VPN, WanOpt & Cache, Wifi
• Security Log
• By Security profile type (Antivirus, Web Filter, Intrusion
Protection, etc.)
• Section is not created by default

10
Structure and Behavior

• Divided into 3 sections: Traffic Log, Event Log, Security Log

o Traffic Log  packets to and through the device
o Event Log  admin and system activity events on the device
o Security Log  messages related to profiles acting on traffic
passing through the device
• Most security events consolidated into Forward Traffic log
o Less CPU intensive this way
o Exceptions: DLP, Intrusion Scanning (Security Log only)

11
Viewing Log Messages (GUI)

12
 Which settings generate Logs

Policy Log Setting AV, Web Filter, Email Behavior

No Log Disabled No Forward Traffic or Security Logs

No Log Enabled No Forward Traffic or Security Logs

Log Security Events Disabled No Forward Traffic or Security Logs.

Log Security Events Enabled Security log events appear in Forward Traffic Log. Forward
Traffic Log generated for packets causing a security event.

Log all Sessions Disabled Forward Traffic Log generated for every single session.

Log all Sessions Enabled Security log events appear in Forward Traffic Log
Forward Traffic log generated for every single session

• Logging is impacted by hardware acceleration

o Traffic offloaded to NP processors is not logged
• Can disable hardware acceleration
• Can enable NP packet logging (degrades NP performace)

13
Viewing Log Messages (GUI): Adding Filters

• Use Filter Settings to show/hide

o Reduce the number of log entries that are displayed
o Filters are per column, more can be added

14
Viewing Log Messages (Raw)

• Fields in log messages are arranged into two sections:

o Log header (common to all log messages)

date=2013-09-10 time=[Link] logid=0000000009 type=traffic
subtype=forward level=notice vd=root

o Log body (varies for each kind of log)

srcip=[Link] srcport=900 srcintf=unknown-0
dstip=[Link] dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved" service=800/tcp
wanoptapptype=cifs duration=20 policyid=100 user="test user"
group="test group" identidx=200 wanin=400 wanout=300
lanin=200 lanout=100

15
Viewing Log Messages (Raw): Header

o Log header
date=2013-09-10 time=[Link] log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=“root” filteridx=0
o Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0
user="user" group="group" srcip=[Link] srcport=2560
srcintf="lo" dstip=[Link] dstport=5120 dstintf="port1"
service=mm1 …

type & subtype = name of log file

level = severity level

16
Viewing Log Messages (Raw): Body

o Log body
srcip=[Link] srcname=host srcport=0 srcintf=unknown-0
dstip=[Link] dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=[Link] tranport=0 transip=[Link] transport=0 service=other
proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0"
shapersentname="shaper sent name" shaperdropsentbyte=16843009
shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009
shaperperipname="perip name" shaperperipdropbyte=16843009
devtype="iPad" osname="linux" osversion="ver" unauthuser="user"
unauthusersource="none" collectedemail="mail"
mastersrcmac=[Link] srcmac=[Link]

status = FortiGate’s action

policyid = firewall policy applied to the session

17
Viewing Log Messages(CLI)

exe log display

• Set up log filter first

exe log filter

18
Monitoring logs

• Monitoring logs is critical to protection of your network

• Three ways to monitor:
o Alert Emails
o Alert Message Console
o SNMP

19
Alert Email

• Send notification to email

upon detection of event
• Identify SMTP server name
• Configure at least one DNS server
• Up to three recipients per mail server

20
 Alert Email: Configure

• Can’t configure alert email until SMTP server is defined

• Send to up to 3 addresses
config system email-server
set type custom
set reply-to (email)
set server (IP or FQDN)
set port (connection port)
set source-ip (interface ip)
set authenticate [enable|disable]
set security [none|starttls|smtps]
end

21
Alert Message Console

• Alert messages can appear through GUI widget

o Individual alerts can be acknowledged and removed from the list
o Customizable alert options

22
SNMP Monitoring

SNMP agent Fortinet MIB

Managed device SNMP manager

• Configure FortiGate interface for SNMP access

• Compile and load FortiGate MIBs into SNMP manager
• Create SNMP communities to allow connection
from FortiGate to SNMP manager
o SNMP v1/v2: Plain Text
o SNMP v3: Encrypted
• Traps received by agent sent to SNMP manager

23
SNMP Monitoring: Configuring

• Version 3 offers better security

24
Configuring Log Settings: GUI

• The more logs there are, the IPs need resolution

o Could impact CPU

25
Configuring Log Settings: CLI

• Config information (server IP, user name, etc.) specific to log location
o disk – Hard drive (Built in non-volatile flash on some models)
o fortianalyzer|fortianalyzer2|fortianalyzer3 – separate
FortiAnalyzers
o fortiguard- Forticloud
o memory – system memory (volatile)
o sysologd|syslogd2|syslogd3 – separate Syslog servers
o webtrends – Webtrends service

26
Configuring Log settings: Firewall Policy

• Firewall policy setting decides if

a log message is generated or not 

• ‘Log Settings’ option decides if/where

any log is stored 

27
Logging Resources

• The more logs that get generated, the more CPU memory and
disk storage space is required in order to process them
• UTM profiles create log events when traffic is detected
o Generally not a large source of logs
• Traffic logs happen if UTM is turned on or not
o Traffic logs also contain UTM event information and extra information for
troubleshooting
• Traffic logs can be abbreviated to free up firewall resources

config log setting

set brief-traffic-format enabled
end

28
Event Logging: Settings

• Not caused by traffic passing through firewall policies

(except ‘User’)

29
Logging Monitor

• Overall view of the number/type of logs generated

• Drill down allows for more detailed information

30
Monitor

• Monitor sub-menus found in CLI for all main function menus

• User-friendly display of monitored information
• View activity of a specific feature being monitored
• Various settings are found under config system global
gui-antivirus gui-ap-profile gui-application-control
gui-central-nat-table gui-certificates gui-client-reputation
gui-dlp gui-dns-database gui-dynamic-profile-display
gui-dynamic-routing gui-endpoint-control gui-explicit-proxy
gui-ipsec-manual-key gui-implicit-policy gui-ips
gui-icap gui-ipv6 gui-lines-per-page
gui-load-balance gui-local-in-policy gui-multicast-policy
gui-multiple-utm-profiles gui-object-tags gui-policy-interface-pairs-view
gui-replacement-message-groups gui-spamfilter gui-sslvpn-personal-bookmarks
gui-sslvpn-realms gui-utm-monitors gui-voip-profile
gui-vpn gui-vulnerability-scan gui-wanopt-cache
gui-webfilter gui-wireless-controller gui-wireless-opensecurity

31
GUI Monitors

• Example: Security Profiles • AV Monitor

Monitor o Recent and top virus activity
o Includes all security features • Web Monitor
o Top blocked FortiGuard categories
• Application Monitor
o Most used applications
• Intrusion Monitor
o Recent attacks
• Email Monitor
o Spam statistics
• Archive & Data leak Monitor
o DLP sensor activity
• FortiGuard Quota
o Per user list of quota usage

32
Status Page: Custom Widgets

• Most have settings to display different information

o Can add same widget to the dashboard multiple times, each showing
different information

33
Status Page: Custom Dashboards

• Multiple dashboards by default

o Included widgets are set up to provide different kinds of information
o Can be changed/deleted/added
o Dashboard and widget layout is an administrator preference

34
Crash Logs

diag deb crashlog read

• Inspection of traffic handled by processes
• Any time a process closes, it is a “crash”
o Some are normal (closing scanunit to update definitions)
o Debugging purposes only

35
Review

 Log severity levels

 Storage locations
 Log types and subtypes
 Log structure and behavior
 Log settings
 Log resources
 Viewing log messages
 Monitoring, reading, and interpreting log messages

36