You are on page 1of 36



 Logging & Monitoring

In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and
network traffic. Since you are implementing a security solution, it is important to know how to
appropriately monitor the device’s operation. It is vital to have logging and monitoring configured
properly and to know how to read the output. Otherwise if you encounter issues, you won’t have any
messages from FortiGate to help you find out what is happening in your network.


By the end of this lesson, you’ll be able to:
Describe log severity levels
Identify where logs are stored
Describe the different types of logs
Understand log structure and behavior
Configure log settings
Understand the impact of logs on resources
Describe how to view log messages, and finally
Describe how to search and interpret log message

 Logging & Monitoring


 Logging & Monitoring

The basic purpose of logs is to help you monitor your network traffic levels, track down problems,
establish baselines and a lot more.
Think of your own internal organization, where it is highly probable that more than one administrator
has access to your FortiGate device. Since it is not practical to block other administrators from making
changes to your FortiGate configuration, you can simply view the log files to find out what is
happening on the device—including any changes that were made. Logs help provide you with the big
picture so you can make adjustments to your network security, if necessary.
Keep in mind that some organizations have legal requirements when it comes to logging, so it is
important to be aware of your organization’s policies during configuration.

the lowest level. puts more strain on the CPU resources. You and your organization’s policies dictate what needs to be logged. . In total there are eight levels. Debug is only needed to log diagnostic data. and requires additional resources to create. Debug. puts additional information into the event log and is worthless unless you are actively investigating something.DO NOT REPRINT © FORTINET  Logging & Monitoring Each log entry includes a log level that ranges in order of importance from Debug to Emergency. Generally the lowest level you want to use is Information.

you can store logs on Syslog Servers. Locally. FortiCloud. . the FortiGate device has memory and many devices have a built-in hard drive. SNMP. Externally.DO NOT REPRINT © FORTINET  Logging & Monitoring You can choose to store logs in a variety of places both on and off the device. or a FortiAnanlyzer device.

or outside of it. you can place a FortiAnalyzer or FortiManager within the same network as a FortiGate. a Fortigate can communicate with a FortiAnalyzer or FortiManager only if it is registered device. it can be safely transmitted across an unsecure network. . Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted OFTP traffic. a FortiAnalyzer or FortiManager is simply viewed as an IP with which the FortiGate can communicate. As a result.DO NOT REPRINT © FORTINET  Logging & Monitoring As an external logging device for FortiGate. so when a log message is generated. it accepts incoming logs. However. So long as the FortiGate is properly registered with the FortiAnalyzer or FortiManager.

. As such. On the other hand. Even the smallest FortiAnalyzer can handle more logs per day than any FortiManager. regardless of the model. There is the store-and-upload option. but a FortiManager’s primary purpose is to centrally manage multiple FortiGate devices. it has a flat limit imposed on the amount of logs it can receive in a day. we’ve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices for the FortiGate. Both take log entries. so the log limit is much higher (though the limit is model-dependent). the FortiAnalyzer’s primary purpose is to store and analyze logs. as well as real time. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is identical—they share a common hardware and software platform—the FortiAnalyzer and FortiManager actually have different capabilities that are worth noting.DO NOT REPRINT © FORTINET  Logging & Monitoring So far. The FortiGate has 2 methods for transmitting the log events. what you can do with the logs received on a FortiManager is no different than what you can do with logs received on a FortiAnalyzer. But at the most basic level.

. Keep in mind that generating logs requires resources. you can configure up to three separate FortiAnalyzer or FortiManager devices at the same time. You may need a setup like this for redundancy or for some other requirement. so the impact of sending logs to multiple locations ultimately depends on how many logs you are creating.DO NOT REPRINT © FORTINET  Logging & Monitoring You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI. each device must be set up separately. Here. In the GUI. not fortianalyzer2 or fortianalyzer3. In the CLI. The options in the GUI only relate to the ‘config log fortianalyzer setting’. one at a time. it is done under Log & Report > Log Config > Log Settings.

but more advantageous for smaller setups. FortiCloud is a subscription-based service. where purchasing a dedicated logging appliance isn’t feasible.DO NOT REPRINT © FORTINET  Logging & Monitoring Another external logging option you can use is FortiCloud. It’s a similar idea to FortiAnalyzer. Be sure to read any documentation on the website if you are considering the subscription-based option. Every FortiGate comes with a free one month trial. . You can activate your free trial from the GUI and link it to your FortiCare user and start sending logs. that offers long term storage of logs as well as provides reporting functionality. offered by Fortinet.

and Router/VPN/WanOpt &Cache/Wifi sub-types. Router/VPN/WanOpt &Cache/Wifi contain log entries related to the specific feature.DO NOT REPRINT © FORTINET  Logging & Monitoring On the FortiGate. as well as FortiGuard queries. For example. Antivirus. Each log type is further split up into sub-types. Security logs contain log entries based on the security profile type. For example. such as automatic updates of the AV/IPS definitions and people logging into the GUI. Finally. The Forward log contains information about traffic either accepted or rejected by a firewall policy. Event logs contain System. Security logs only show specific sub-types if logs are created within it. Local traffic is traffic directly to/from the FortiGate. Router contains BGP or RIP log entries and VPN contains IPSec and SSLVPN log entries. . and security logs. These are traffic logs. Invalid and Multicast. User contains logon/off events for users hitting firewall policies. System events are related to system operations. event logs. User. Local. Invalid packets are the logs thrown away before they even get to a firewall policy. all logs are split up into three different log types. Web Filter. and Intrusion Protection to name a few. Traffic logs contain Forward. and includes logging into the GUI.

The Traffic Log contains events about packets. The Security Log contains messages related to security profiles activated on firewall policies. . By default. Events such as these always appear in the Security Log section. most of the events related to security appear in the Forward Traffic log—a sub-type of the Traffic Log. Event. The exception to this is DLP and Intrusion Scanning. Security. The Event Log contains admin or system activity events. and (if configured). This is for performance: fewer log files is less CPU intensive.DO NOT REPRINT © FORTINET  Logging & Monitoring The Log & Report section of the FortiGate GUI includes the three log types: Traffic.

DO NOT REPRINT © FORTINET  Logging & Monitoring To inspect your logs through the GUI. you can switch between viewing the logs from different locations if the FortiGate is set up to log to multiple locations. go to the Log & Report section and select the log type to view. In the upper right corner of the window. It is not recommended to configure your firewall to actively inspect traffic without creating a log entry about it. .

DO NOT REPRINT © FORTINET  Logging & Monitoring This chart illustrates the expected behavior when you enable different logging options. So if you apply a security profile. The first column. . The last column shows the behavior. Web Filter. or Log all Sessions. it’s important to remember to consider the logging setting. or Email security profile is enabled or disabled. you will not get logs of any kind—even if the profile is configured to block the traffic. The second column shows whether an Antivirus. Log Security Events. Policy Log Setting. shows the log setting on the Firewall policy: No Log. If you enable any profiles on your policy and logging is not enabled. Remember. DLP and IPS profiles always generate logs in the Security Log section.

especially during an investigation.DO NOT REPRINT © FORTINET  Logging & Monitoring When viewing the logs. depending on your configuration. This makes it difficult to locate a specific log or log type. the easier it is to find the precise log entry. In order to negotiate the logs more efficiently. you can set up various filters. you might encounter a high volume of log messages. Make sure to configure the table columns for your own requirements. . By default only a subset of the information appears in the log table. The more information you specify in the filter. Filters are configured for each column of data you choose to display.

however. The body.DO NOT REPRINT © FORTINET  Logging & Monitoring Every log message you view has a standard layout comprised of two sections: a header and a body. like a date and time. changes from one type of log message to another. . while other data is event dependent. This is because there is some data common to all logs. The header contains the same information regardless of the log.

and the severity level is Warning. you need to know how to set up your filters in order to find what you need in your log messages. You can find a document that contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet. aside from the date. . the information in the header of the log directly effects the data contained in the associated body of the log. As you can see in the header. but the data aligned to it can be different. the header can contain a log type of Event and sub-type of System instead of what you see in the example above. such as a Syslog server.DO NOT REPRINT © FORTINET  Logging & Monitoring Let’s take a closer look at the header in this is an example of a raw log entry. the sub-type is DLP. Accordingly. you can see the that log type is UTM. . The attributes in the header (such as log type and sub-type) are common to every log. While the output is not as structured as it appears in the GUI. and log ID attributes. For example. Note that if you log to a 3rd party device. the information contained in a raw log file is the same.

which means the FortiGate prevented this particular piece of traffic from passing. we can see the action taken by the FortiGate device when it encountered the traffic through the status attribute. Here. the status is Deny. . The value indicated by policyid field provides useful information about the policy this traffic passed through (which firewall rule was used). The body provides the specifics of the log message and helps you understand what actually happened.DO NOT REPRINT © FORTINET  Logging & Monitoring Now lets take a closer look at the body of a log. In the above log.

you can also display log messages from the CLI. . such as FTP. This allows you to set up a number of filters on the logs that display and capture the output to a file and send it via the options you specify.DO NOT REPRINT © FORTINET  Logging & Monitoring Rather than look at raw logs or logs through the GUI.

How the attack unfolds may reveal weaknesses in your preparations.DO NOT REPRINT © FORTINET  Logging & Monitoring Monitoring your logs is critical. Alert Message Console. . as it allows you to review the progress of an attack. and SNMP. whether afterwards or while in progress. There are three ways you can monitor logs: Alert Emails. and address the issue quickly.

DO NOT REPRINT © FORTINET  Logging & Monitoring Since you can’t always be physically at the device. . First you decide “what” is going in to them (a filter) and then “where” it is going. Alert emails are set up similar to any log device. you can monitor logs by setting up Alert emails.

. Without configuring an SMTP server that will receive the email. the first thing you need to do is configure an SMTP server to allow for communication between the server and the FortiGate device. This allows you to configure your alert email settings in the GUI through the Log & Report > Log Config > Alert E-mail menu. This can only be done in the CLI.DO NOT REPRINT © FORTINET  Logging & Monitoring In order to set up an alert email. the alert email option does not appear in the GUI.

the number of alerts. Once an alert appears in the Alert Message Console it remains until acknowledged. Here.DO NOT REPRINT © FORTINET  Logging & Monitoring Another log monitoring option is the alert message console. and even the name of the widget itself. The Alert Message Console is a GUI widget that you can enable on the System dashboard. Once you confirm the event did not impact anything. they appear directly in the widget on the System page when you log in to the FortiGate. you acknowledge it. and it is removed from your list — it no longer appears as something that requires further attention. you can have multiple alert widgets on the dashboard with different names all displaying different types of alerts. For example. You can configure the widget to set up the events you want to appear as alerts. . instead of the alerts being emailed to administrators like in Alert emails.

and query messages sent by the FortiGate device SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries to the device in order to discover operational status. . event. You can obtain CPU. These MIBs provide information the SNMP manager needs to interpret the SNMP trap. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager.DO NOT REPRINT © FORTINET  Logging & Monitoring Another method of monitoring logs is through an SNMP manager. you require the Management Information Base (MIB) file. and more. You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through the System > Config > SNMP menu. A FortiGate device can support SNMP v1. the cause for the last spam detection. v2 and v3. In order to use this method. memory levels.

like traffic encryption and authentication. Simply enable and define the service as you would any other SNMP monitored device and then enable your protocol options and methods of monitoring. . What can be monitored with the different options is exactly the same. SNMP v3 offers some additional security over the previous two versions of the protocol.DO NOT REPRINT © FORTINET  Logging & Monitoring Setting up the necessary SNMP options is fairly straight forward from the GUI.

. you can enable different locations for log storage. you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to perform DNS lookups for all the IPs. Finally. under Log & Report > Log Config > Log Settings. this can impact your ability to look through the logs as the requests will timeout. If your DNS is not working or running slowly.DO NOT REPRINT © FORTINET  Logging & Monitoring In the GUI. You can also configure the different kind of traffic you want to appear in the Local traffic log.

a 3rd party service. FortiGuard. There is also the ability to set up logging to Webtrends. FortiAnalyzer. Syslog. The information you require for configuring the log settings is dependent on the logging option you configure: disk. . options not available in the GUI. you can configure up to three separate FortiAnalyzers and Syslog servers.DO NOT REPRINT © FORTINET  Logging & Monitoring Using the CLI to configure log settings provides you with more flexibility and options than the GUI. or Webtrends. From the CLI. memory.

The policy setting determines if and when a log message is generated for traffic passing through a particular firewall policy.DO NOT REPRINT © FORTINET  Logging & Monitoring Firewall policies also have logging options you can configure. . The settings under Log Settings in the GUI and the ‘config log’ command in the CLI determine where the FortiGate stores the log messages it creates.

make sure its worth the extra resources and that your system can handle the influx. So before configuring logging. There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. . UTM profiles create log events when traffic is detected. the heavier the toll on your CPU and memory resources. your traffic logs can easily become a problem that will ultimately impact the performance of your firewall. you can free up resources on the firewall. Storing logs for a period of time also requires disk space. The more logs that get generated. Depending on the amount of traffic you have and logging settings that are enabled. Also important to note is logging behavior with UTM profiles. By executing this command. as does accessing them.DO NOT REPRINT © FORTINET  Logging & Monitoring It’s important to remember that creating logs is not “free”—it does weigh on your system.

remember that Event logs are not caused by traffic passing through firewall policies.DO NOT REPRINT © FORTINET  Logging & Monitoring In configuring the Event log settings. user activity. such as administrator logins. So what you enable depends on what features you are implementing and what information you need to get out of the logs. For example. . One exception might be the user log. You can enable what events you want to log through the Log & Report > Log Config > Log Settings menu. and daily operations of the device. Event logs provide all of the system information generated by the FortiGate device. VPNs going up and down or routing protocol activity are not caused by traffic passing through a firewall policy. configuration changes made by administrators. but it does record user logon/logoff events on traffic that passes through policies. This does not record information about traffic through firewall policies directly.

. You can drill down through these logs and obtain further information by clicking any of the days.DO NOT REPRINT © FORTINET  Logging & Monitoring There is also a daily log monitor section. This displays the number of logs generated over time as well as the log type. This allows you to see where your FortiGate device is using most of its resources and if any trends are occurring.

at any given moment. how the feature is performing. With a lot of security activity this could impact your CPU. This allows you to take a view.DO NOT REPRINT © FORTINET  Logging & Monitoring Each function of the FortiGate device has an equivalent “Monitor” menu item in the GUI. . so it’s disabled by default. The Security functions have a monitor option like the rest. but you need to enable it from the CLI before it appears.

such as AV Monitor. found in the GUI under Security Profiles > Monitor. and Application Monitor to name a few. It has sub-sections for each security feature to highlight recent activity. This gives you a snapshot of what is happening with that particular option. . Web Monitor. Almost every menu has this option.DO NOT REPRINT © FORTINET  Logging & Monitoring One example of a GUI monitor is the Security Profiles monitor.

Many can be customized to show the same type of information in multiple ways. with each instance displaying different information. you can configure any of the available settings for that widget. You can add some widgets to the same dashboard multiple times. . If you click the pencil icon in the upper right corner of the widget.DO NOT REPRINT © FORTINET  Logging & Monitoring Another means of monitoring is through the widgets on the status page.

DO NOT REPRINT © FORTINET  Logging & Monitoring By default. it will not impact any of the other users. . You can alter a user’s permissions to not allow them to make changes to their dashboard and use this to restrict their access. so if one user deletes a dashboard and rearranges the widgets on the Status page. there are a number of different dashboards available. Each one has a different name with a different collection of widgets to provide different types of information. Each user has their own dashboard setup and layout.

with different processes that handle different things. If there is an abnormal termination of a process. the crash log records this as a crash. This is a normal shutdown and appears with a status of zero.DO NOT REPRINT © FORTINET  Logging & Monitoring One other area you may want to monitor. that process needs to close down in order to apply the new package. which is the process responsible for virus scanning. like DHCP or web filtering for example. . available through the CLI. purely for diagnostics. which indicates a normal shut down with no abnormalities. you can look at the crash logs and find out the conditions that caused it. Any time a process is closed for any reason. is the crash logs. A normal and fairly common thing to see in the crash log are entries for Scanunitd. Any time the definitions package is updated. The FortiGate is like a computer.

log types and subtypes. log structure and behavior. reading. storage locations.DO NOT REPRINT © FORTINET  Logging & Monitoring In this lesson. log settings. we covered log severity levels. . and interpreting log messages. and monitoring. viewing logs messages.