Professional Documents
Culture Documents
FortiOS™ Handbook v3
for FortiOS 4.0 MR3
FortiOS™ Handbook Logging and Reporting
v3
24 January 2012
01-432-112804-20120124
© Copyright 2012 Fortinet, Inc. All rights reserved. Contents and terms are subject to
change by Fortinet without prior notice. Reproduction or transmission of this publication
is encouraged.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks
of their respective owners.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
FortiOS Handbook
Contents
Introduction 7
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Logging overview 9
What is logging? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
How the FortiGate unit records log messages . . . . . . . . . . . . . . . . . . . . 9
Example: How the FortiGate unit records a DLP event . . . . . . . . . . . . . 9
Log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Explanation of a log message . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Explanation of a debug log message . . . . . . . . . . . . . . . . . . . . . . . 12
Viewing log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Log files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Best Practices: Log management . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Log devices 23
Choosing a log device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Example: Setting up a log device and backup solution . . . . . . . . . . . . . . 24
Reports 59
FortiOS reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring a FortiOS report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Modifying the default FortiOS report. . . . . . . . . . . . . . . . . . . . . . . . 60
Example for creating a new default report from the existing default report . . 61
Configuring charts, datasets, themes and styles for a report . . . . . . . . . . . 63
Configuring datasets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring themes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Configuring styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring a report layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Adding charts to the layout . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring a chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Importing images for the report . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Report example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Report for analyzing web activity on the FortiGate unit . . . . . . . . . . . . . . 71
Configuring the style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring the theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Uploading the company graphic for the report . . . . . . . . . . . . . . . . 74
Modifying the time period for the charts. . . . . . . . . . . . . . . . . . . . 74
Configuring the layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Index 79
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. This
document provides detailed information that explains how to begin choosing a log device
for your logging requirements, the types of log files, how to configure your chosen log
device, including detailed explanations of each log type of log messages.
Logging is an integral component of the FortiGate system. Logging allows you to view
the activity and status of the traffic passing through your network, and monitor for
anomalies.
If you notice problems with this document, or have suggestions for improvements, send
an email about them to Fortinet Technical Document at techdoc@fortinet.com.
This chapter contains the following topics:
• Before you begin
• How this guide is organized
The SQLite log database provides information about SQLite statements as well as
examples that you can use to base your own custom datasets on.
Log message usage provides general information about log messages, such as what is a
log header. Detailed examples of each log type are discussed as well. For additional
information about all log messages recorded by a FortiGate unit running FortiOS 4.0 and
higher, see the FortiGate Log Message Reference.
Reports provides information about how to configure reports if you have logged to a the
FortiGate unit’s hard disk SQL database.
Logging overview
This section explains what logging is in relation to your FortiGate unit, what a log
message is, and log management practices. These practices can help you to improve
and grow your logging requirements.
This section also includes information concerning log management practices that help
you to improve and grow your logging requirements.
The following topics are included in this section:
• What is logging?
• Log messages
• Log files
• Best Practices: Log management
What is logging?
Logging records the traffic passing through the FortiGate unit to your network and what
action the FortiGate unit took during its scanning process of the traffic. This recorded
information is called a log message.
After a log message is recorded, it is stored within a log file which is then stored on a log
device. A log device is a central storage location for log messages. The FortiGate unit
supports several log devices, such as a FortiGuard Analysis and Management Service,
and the FortiAnalyzer unit. A FortiGate unit’s system memory and local disk can also be
configured to store logs, and because of this, are also considered log devices.
You must subscribe to FortiGuard Analysis and Management Service so that you can
configure the FortiGate unit to send logs to a FortiGuard Analysis server.
3 The FortiGate unit exempts the match, and places the recorded activity (the log
message) within the DLP log file.
4 According to the log settings that were configured, logs are stored on the FortiGate
unit’s local hard drive. The FortiGate unit places the DLP log file on the local hard
drive.
Log messages
Log messages are recorded information containing specific details about what is
occurring on your network. Within each log message there are fields. A field is two pieces
of information that explain a specific part of the log message. For example, the action
field contains login (action=login).
The fields within the log message are arranged into two groups; one group, which is first,
is called the log header, and the second group is the log body, which contains all other
fields. A log header from the FortiGate unit appears as follows when viewed in the Raw
format:
2011-01-08 12:55:06 log_id=24577 type=dlp subtype=dlp pri=notice
vd=root
The log body appears as follows when viewed in the Raw format:
policyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190
src_port=1190 srcint=internal dst=“192.168.1.122” dport=80
dst_port=80 dst_int=“wan1” service=“https” status=“detected”
hostname=“example.com” url=“/image/trees_pine_forest/” msg=“data
leak detected(Data Leak Prevention Rule matched)” rulename=“All-
HTTP” action=“log-only” severity=1
Logs from other devices, such as the FortiAnalyzer unit and Syslog server, contain a
slightly different log header. For example, when viewing FortiGate log messages on the
FortiAnalyzer unit, the log header contains the following log fields when viewed in the
Raw format:
itime=1302788921 date=20110401 time=09:04:23
devname=FG50BH3G09601792 device_id=FG50BH3G09601792
log_id=0100022901 type=event subtype=system pri=notice vd=root
Within the log header, there is a type field, and this field indicates the type of log file the
log message is put into after it is recorded. The log header also contains the log_id field.
The log_id field contains the unique identification number that is associated with that
particular log message. For example, 32001. All log messages have a unique number that
helps to identify them within their log file.
The log header also contains information about the log severity level and is indicated in
the pri field. This information is important because the severity level indicates various
severities that are occurring. For example, if the pri field contains alert, you need to take
immediate action with regards to what occurred. There are six log severity levels.
The log severity level is the level at which the FortiGate unit records logs at. The log
severity level is defined when configuring the logging location. The FortiGate unit logs all
messages at and above the logging severity level you select. For example, if you select
Error, the unit logs Error, Critical, Alert, and Emergency level messages.
Table 1: Log severity levels
Levels Description
0 - Emergency The system has become unstable.
Levels Description
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could
be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
The Debug severity level, not shown in Table 1, is rarely used. It is the lowest log severity
level and usually contains some firmware status information that is useful when the
FortiGate unit is not functioning properly. Debug log messages are only generated if the
log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate activities.
The log body contains the rest of the information of the log message, and this information
is unique to the log message itself. There are no two log message bodies that are alike,
however, there may be the same fields in most log message bodies, such as the srcintf
log field or identidix log field.
For detailed information on all log messages, see the FortiGate Log Message Reference.
The year, month and day of when the event occurred in yyyy-
date=(2010-08-03)
mm-dd format.
The hour, minute and second of when the event occurred in the
time=(12:55:06)
format hh:mm:ss.
A five-digit unique identification number. The number
log_id=(24577) represents that log message and is unique to that log message.
This five-digit number helps to identify the log message.
type=(dlp) The section of system where the event occurred.
The subtype category of the log message. See Table 1 on
subtype=(dlp)
page 10.
pri=(notice) The severity level of the event. See Table 1 on page 10.
The name of the virtual domain where the action/event
vd=(root) occurred in. If no virtual domains exist, this field always
contains root.
Log body:
policyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190
src_port=1190 srcint=internal dst=“192.168.1.122” dport=80
dst_port=80 dst_int=“wan1” service=“https” status=“detected”
hostname=“example.com” url=“/image/trees_pine_forest/” msg=“data
leak detected(Data Leak Prevention Rule matched)” rulename=“All-
HTTP” action=“log-only” severity=1
The year, month and day of when the event occurred in the
date=(2010-01-25)
format yyyy-mm-dd.
The hour, minute and second of when the event occurred in the
time=(17:25:54)
format hh:mm:ss.
A five-digit unique identification number. The number represents
log_id=(93000) that log message and is unique to that log message. This five-
digit number helps to identify the log message.
The section of system where the event occurred. There are
type=(webfilter)
eleven log types in FortiOS 4.0.
The subtype of the log message. This represents a policy applied
subtype=(urlfilter)
to the FortiGate feature in the firewall policy.
The severity level of the event. There are six severity levels to
pri=(debug)
specify.
msg=(“found in Explains the activity or event that the FortiGate unit recorded.
cache”)
The web-based manager is not the only place to view log messages. You can also view
log messages from the CLI. For more information about viewing log messages, see
“Viewing log messages and archives” on page 46.
Log files
Each log message that is recorded by the FortiGate unit is put into a log file. The log file
contains the log messages that belong to that log type, for example, traffic log messages
are put in the traffic log file.
When downloading the log file from Log&Report > Log Access, the file name indicates
the log type and the device on which it is stored on. This name is in the format
<logtype>log<logdevice_logtype>.log. For example, tlog0100.log. The log device and log
type part are in numerical format. In the example, tlog0100.log, 01 indicates that the
traffic log file was stored on the unit’s local hard drive and 00 indicates that it is a traffic
log file.
The log devices that are indicated in a log file’s name are as follows:
• 00 – indicates that the logs are stored on memory
• 01 – indicates that the logs are stored on the unit’s local hard drive
• 02 – indicates that the logs are stored on a FortiAnalyzer unit
• 04 – indicates that the logs are stored on the FortiGuard Analytics server
The log type number that comes after the log device number in the log file’s name is as
follows:
SQL logging is enabled by default on models that support the local SQLite database,
and are running FortiOS 4.0 MR3 or higher.
If you have disabled SQL logging and have factory defaults on the FortiGate unit, and
then upgrade, the upgrade will not automatically enable SQL logging.
If you are formatting a disk that contains more than just logs, all information on the disk
will be lost.
SQL overview
The syntax for SQL queries is based on the SQLite3 syntax (see
http://www.sqlite.org/lang.html for more information).
There is an additional convenience macro, F_TIMESTAMP, that allows you to easily
specify a time interval for the query. It takes this form:
F_TIMESTAMP(base_timestring, unit, relative value). For example,
F_TIMESTAMP('now','hour','-23') means “last 24 hours” or that the hour in the
timestamp is 23 less than now. The FortiGate unit will automatically translate the macro
into SQLite3 syntax.
You can use the following CLI commands to write SQL statements to query the SQLite
database.
config report dataset
edit <dataset_name>
set query <sql_statement>
next
end
For more information about specific examples that are used in creating custom datasets,
see the “SQLite statement examples” on page 18.
CLI commands
config report dataset
edit "appctrl.Dist.Type.last24h"
set query "select app_type, count(*) as totalnum from
app_control_log where timestamp >=
F_TIMESTAMP('now','hour','-23') and (app_type is not null
and app_type!='N/A') group by app_type order by totalnum
desc"
next
CLI commands
config report dataset
edit "appctrl.Count.Bandwidth.Top10.Apps.last24h"
set query "select (timestamp-timestamp%3600) as hourstamp,
(CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE service
END) as appname, sum(sent+rcvd) as bandwidth from
traffic_log where timestamp >=
F_TIMESTAMP(\'now\',\'hour\',\'-23\') and (appname in
(select (CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE
service END) as appname from traffic_log where timestamp >=
F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by appname
order by sum(sent+rcvd) desc limit 10)) group by hourstamp,
appname order by hourstamp desc"
next
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
• MySQL is running and using the default port 3306.
• You have created an empty database and a user who has read/write permissions for
the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:
#Mysql –u root –p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’
identified by ‘fazpassword’;
mysql> Grant all privileges on fazlogs.* to
‘fazlogger’@’localhost’ identified by ‘fazpassword’;
Figure 1: Example of an SQL database error message that appears after logging in
to the web-based manager
The error message indicates that the SQL database is corrupted and cannot be updated
with the SQL schemas any more. When you see this error message, you can do one of
the following:
• select Cancel and back up all log files; then select Rebuild to rebuild the database
• select Rebuild only after verifying that all log files are backed up to a safe location.
When you select Cancel, no logging is recorded by the FortiGate unit regardless of the
log settings that are configured on the unit. When you select Rebuild, all logs are lost
because the SQL database is erased and then rebuilt again. Logging resumes after the
SQL database is rebuilt.
If you want to view the database’s errors, use the diag debug sqldb-error-read
command in the CLI. This command indicates exactly what errors occurred, and what
tables contain those errors.
Log files are backed up using the execute log backup {alllogs | logs}
command in the CLI. You must use the text variable when backing up log files because
the text variable allows you to view the log files outside the FortiGate unit. When you
back up log files, you are really just copying the log files from the database to a specified
location, such as a TFTP server.
Log devices
The FortiGate unit supports a variety of logging devices, including the FortiGuard
Analysis and Management Service. This provides great flexibility when choosing a log
device for the first time, as well as when logging requirements change.
This section explains how to configure your chosen log device, as well as how to
configure multiple FortiAnalyzer units or Syslog servers. This section also includes how to
log to a FortiGuard Analysis server, which is available if you subscribed to the FortiGuard
Analysis and Management Service.
The following topics are included in this section:
• Choosing a log device
• Example: Setting up a log device and backup solution
• Configuring the FortiGate unit to store logs on a log device
• Troubleshooting issues
• Testing FortiAnalyzer and FortiGuard Analysis server connections
• Connecting to a FortiAnalyzer unit using Automatic Discovery
• Uploading logs to a FortiAnalyzer or a FortiGuard Analysis server
You may need to reschedule uploading or rolloing of log files because the size of log files
is reduced in FortiOS 4.0 MR1 and higher. Reduction in size provides more storage room
for larger amounts of log files on log devices.
If you are formatting a disk that contains more than just logs, all information on the disk
will be lost.
In
te For
rn
al tiG
Ne ate
tw
or
k
For
t
172 iAnaly
.16 zer Sys
120
l
.15
4 192 og_1
.16
8.1
6. 121 Sys
l
192 og_2
.16
8.1
7. 121 Sys
l
192 og_3
.16
8.1
8. 121
If you experience issues, see “Troubleshooting issues” on page 34. This topic may not
contain all the information you may need when troubleshooting a logging issue; if the
topic cannot help you, see the Troubleshooting chapter in the FortiOS Handbook.
When a hard disk is not present on a FortiGate unit, real-time logging is enabled by
default. Real-time logging is recording activity as it happens.
When logging to the unit’s hard disk, you must also enable SQL logging, which is enabled
only in the CLI. For more information, see “Enabling SQL logging” on page 44.
You must include a storage location, or logs will not be recorded. If your FortiGate unit
has an SQLite log database, you must enable SQL logging as well. For more information
about how to configure SQL logging, see “Enabling SQL logging” on page 44.
If you have disabled SQL logging and have factory defaults on the FortiGate unit, and
then upgrade, the upgrade will not automatically enable SQL logging.
If you are using the FortiGate and FortiAnalyzer-VM images, and these are evaluation
software, you will only be able to use low encryption.
The following procedure assumes that you have only one FortiAnalyzer unit to configure.
If you are configuring more than one FortiAnalyzer unit, you must configure the other
units in the CLI. Use the procedures in “Logging to multiple FortiAnalyzer units or Syslog
servers” on page 38 to configure multiple FortiAnalyzer units.
If you want to connect to a FortiAnalyzer unit using automatic discovery, see “Connecting
to a FortiAnalyzer unit using Automatic Discovery” on page 41. If you are going to
connect to the FortiAnalyzer using the automatic discovery feature, see “Connecting to a
FortiAnalyzer unit using Automatic Discovery” on page 36.
Example
This example shows how to enable logging to and set an IP address for a remote NetIQ
WebTrends server.
config log webtrends settings
set status enable
set server 172.25.82.145
end
Troubleshooting issues
From time to time, issues may arise due to connectivity or logging has stopped
altogether. The following provides information on troubleshooting these issues.
The FortiGate unit searches within the same subnet for a response from any available
FortiAnalyzer units
Logs
Logs record FortiGate activity, providing detailed information about what is happening on
your network. This recorded activity is found in log files, which are stored on a log device.
However, logging FortiGate activity requires configuring certain settings so that the
FortiGate unit can record the activity. These settings are often referred to as log settings,
and are found in most UTM features, such as profiles, and include the event log settings,
found on the Event Log page.
Log settings provide the information that the FortiGate unit needs so that it knows what
activities to record. This topic explains what activity each log file records, as well as
additional information about the log file, which will help you determine what FortiGate
activity the FortiGate unit should record.
This topic includes the following:
• Traffic
• Event
• Data Leak Prevention
• Application control
• Antivirus
• Web Filter
• IPS (attack)
• Packet logs
• Email filter
• Archives (DLP)
• Network scan
Traffic
Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic
needs firewall policies to properly flow through the unit, this type of logging is also
referred to as firewall policy logging. Firewall policies control all traffic that attempts to
pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-
interfaces.
Logging traffic works in the following way:
• firewall policy has logging enabled on it (Log Allowed Traffic or Log Violation Traffic)
• packet comes into an inbound interface
• a possible log packet is sent regarding a match in the firewall policy, such as URL filter
• traffic log packet is sent, per firewall policy
• packet passes and is sent out an interface
Traffic log messages are stored in the traffic log file. Traffic logs can be stored any log
device, even system memory.
If you have enabled and configured WAN Optimization, you can enable logging of this
activity in the CLI using the config wanopt setting command. These logs contain
information about WAN Optimization activity and are found in the traffic log file. When
configuring logging of this activity, you must also enable logging within the security policy
itself, so that the activity is properly recorded.
Other Traffic
The traffic log also records interface traffic logging, which is referred to as other traffic.
Other traffic is enabled only in the CLI. When enabled, the FortiGate unit records traffic
activity on interfaces as well as firewall policies. Logging other traffic puts a significant
system load on the FortiGate unit and should be used only when necessary.
Logging other traffic works in the following way:
• firewall policy has logging enabled on it (Log Allowed Traffic or Log Violation Traffic)
and other-traffic
• packet comes into an interface
• interface log packet is sent to the traffic log that is enabled on that particular interface
• possible log packet is sent regarding a match in the firewall policy, such as URL filter
• interface log packet is sent to the traffic log if enabled on that particular interface
• packet passes and is sent out an interface
• interface log packet is sent to traffic (if enabled) on that particular interface
Event
The event log records administration management as well as FortiGate system activity,
such as when a configuration has changed, admin login, or high availability (HA) events
occur. Event logs are an important log file to record because they record FortiGate
system activity, which provides valuable information about how your FortiGate unit is
performing.
Event logs help you in the following ways:
• keep track of configuration setting changes
• IPsec negotiation, SSL VPN and tunnel activity
• quarantine events, such as banned users
• system performance
• HA events and alerts
• firewall authentication events
• wireless events on models with WiFi capabilities
• activities concerning modem and internet protocols L2TP, PPP and PPPoE
• VIP activities
• AMC disk’s bypass mode
• VoIP activities that include SIP and SCCP protocols.
The FortiGate unit records event logs only when events are enabled.
NAC Quarantine
Within the DLP sensor, there is an option for enabling NAC Quarantine. The NAC
Quarantine option allows the FortiGate unit to record details of DLP operation that involve
the ban and quarantine actions, and sends these to the event log file. The NAC
Quarantine option must also be enabled within the Event Log settings. When enabling
NAC quarantine within a DLP Sensor, you must enable this in the CLI because it is a CLI-
only command.
Application control
Application control logs provide detailed information about the traffic that an application
is generating, such as Skype. The application control feature controls the flow of traffic
from a specific application, and the FortiGate unit examines this traffic for signatures that
the application generates.
The log messages that are recorded provide information such as the type of application
being used (for example P2P software), and what type of action the FortiGate unit took.
These log messages can also help you to determine the top ten applications that are
being used on your network. This feature is called application control monitoring and you
can view the information from a widget on the Executive Summary page.
The application control list that is used must have Enabled Logging selected within the
list, as well as logging enabled within each application entry. Each application entry can
also have packet logging enabled. Packet logging for application control records the
packet when an application type is identified, similar to IPS packet logging.
Logging of application control activity can only be recorded when an application control
list is applied to a firewall policy, regardless of whether or not logging is enabled within
the application control list.
Antivirus
Antivirus logs are recorded when, during the antivirus scanning process, the FortiGate
unit finds a match within the antivirus profile, which includes the presence of a virus or
grayware signature. Antivirus logs provide a way to understand what viruses are trying to
get in, as well as additional information about the virus itself, without having to go to the
FortiGuard Center and do a search for the detected virus. The link is provided within the
log message itself.
These logs provide valuable information about:
• name of the detected virus
• name of the oversized file or infected file
• action the FortiGate unit took, for example, a file was blocked
• URL link to the FortiGuard Center which gives detailed information about the virus
itself
The antivirus profile must have log settings enabled within it so that the FortiGate unit can
record this activity, as well as having the antivirus profile applied to a firewall policy.
Web Filter
Web filter logs record HTTP traffic activity. These log messages provide valuable and
detailed information about this particular traffic activity on your network. Web filtering
activity is important to log because it can inform you about:
• what types of web sites are employees accessing
• if users try to access a banned web site and how often this occurs
• network congestion due to employees accessing the Internet at the same time
• alerts you to web-based threats when users surf non-business-related web sites
Web Filter logs are an effective tool to help you determine if you need to update your web
filtering settings within a web filter profile due to unforeseen web-based threats, or
network congestion. These logs also inform you about web filtering quotas that were
configured for filtering HTTP traffic as well.
You must configure log settings within the web filter profile as well as apply it to a firewall
policy so that the FortiGate unit can record web filter logs.
IPS (attack)
IPS logs, also referred to as attack logs, record attacks that occurred against your
network. Attack logs contain detailed information about whether the FortiGate unit
protected the network using anomaly-based defense settings or signature-based
defense settings, as well as what the attack was.
The IPS or attack log file is especially useful because the log messages that are recorded
contain a link to the FortiGuard Center, where you can find more information about the
attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided
as well and informs you of the virus that was detected by the FortiGate unit.
An IPS sensor with log settings enabled must be applied to a firewall policy so that the
FortiGate unit can record the activity.
Packet logs
When you enable packet logging within an IPS signature override or filter, the FortiGate
unit examines network packets, and if a match is found, saves them to the attack log.
Packet logging is designed to be used as a diagnostic tool that can focus on a narrow
scope of diagnostics, rather than a log that informs you of what is occurring on your
network.
You should use caution when enabling packet logging, especially within IPS filters. Filter
configuration that contains thousands of signatures could potentially cause a flood of
saved packets, which would take up a lot of storage space on the log device. This would
also take a great deal of time to sort through all the log messages, as well as consume
considerable system resources to process.
You can archive packets, however, you must enable this option on the Log Setting page.
If your log configuration includes multiple FortiAnalyzer units, packet logs are only sent to
the primary, or first FortiAnalyzer unit. Sending packet logs to the other FortiAnalyzer
units is not supported.
Email filter
Email filter logs, also referred to as spam filter logs, records information regarding the
content within email messages. For example, within an email filter profile, a match is
found that finds the email message to be considered spam.
Email filter logs are recorded when the FortiGate unit finds a match within the email filter
profile and logging settings are enabled within the profile.
Archives (DLP)
Recording DLP logs for network use is called DLP archiving. The DLP engine examines
email, FTP, IM, NNTP, and web traffic. Archived logs are usually saved for historical use
and can be accessed at any time. IPS packet logs can also be archived, within the Log
Settings page.
You can use the two default DLP sensors that were configured specifically for archiving
log data, Content_Archive and Content_Summary. They are available in UTM > Data Leak
Prevention > Sensor. Content_Archive provides full content archiving, while
Content_Summary provides summary archiving.For more information about how to
configure DLP sensors, see the UTM chapter of the FortiOS Handbook.
You must enable the archiving to record log archives. Logs are not archived unless
enabled, regardless of whether or not the DLP sensor for archiving is applied to the
firewall policy.
Network scan
Network scan logs are recorded when a scheduled scan of the network occurs. These log
messages provide detailed information about the network’s vulnerabilities regarding
software as well as the discovery of any vulnerabilities.
A scheduled scan must be configured, as well as logging enabled within the Event Log
settings, for the FortiGate unit to record these log messages.
You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages.
When you are logged in to VDOMs, certain options may not be available, such as VIP ssl
event or CPU and memory usage events. You can enable event logs only when you are
logged in to a VDOM; you cannot enable event logs in the root VDOM.
4 Select Apply.
5 Select OK.
If the FortiGate unit is running FortiOS 4.0 MR2 or lower, when viewing log messages in
the Raw format in Memory, the ten-digit log ID number is used; however, when viewing
the same log messages, in Raw format, in Disk, the five-digit log ID number is used
(except for traffic logs which have only one-digit log IDs). This five-digit log identification
number is used because of log size reduction that occurred in FortiOS 4.0 MR1.
Quarantine
Within the Log & Archive Access menu, you can view detailed information about each
quarantined file. The information can either be sorted or filtered, depending on what you
want to view.
You must enable quarantine settings within an antivirus profile and the destination must
be configured in the CLI using the config antivirus quarantine command. The
destination can be either a FortiAnalyzer unit or local disk.
Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL).
Filter the list to view only quarantined files with a specific status or from a specific
service.
On Log&Report > Log & Archive Access > Quarantine, the file quarantine list displays the
following information about each quarantined file.
Quarantine page
Lists all files that are considered quarantined by the unit. On this page you can filter
information so that only specific files are displayed on the page.
Either FortiAnalyzer or Local disk, depending where you configure to
Source
quarantined files to be stored.
Sort the list. Choose from: Status, Service, File Name, Date, TTL, or
Sort by
Duplicate Count. Select Apply to complete the sort.
Filter the list. Choose either Status (infected, blocked, or heuristics) or
Service (IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Select Apply to
complete the filtering. Heuristics mode is configurable through the CLI
Filter only.
If your unit supports SSL content scanning and inspection Service can
also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see
the UTM chapter of the FortiOS Handbook.
Select to apply the sorting and filtering selections to the list of
Apply
quarantined files.
Delete Select to delete the selected files.
Page Controls Use the controls to page through the list.
Remove All Removes all quarantined files from the local hard disk.
Entries This icon only appears when the files are quarantined to the hard disk.
File Name The file name of the quarantined file.
The date and time the file was quarantined, in the format dd/mm/yyyy
Date hh:mm. This value indicates the time that the first file was quarantined
if duplicates are quarantined.
The service from which the file was quarantined (HTTP, FTP, IMAP,
Service
POP3, SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Status The reason the file was quarantined: infected, heuristics, or blocked.
Status Specific information related to the status, for example, “File is infected
Description with “W32/Klez.h”” or “File was stopped by file block pattern.”
Duplicate count. A count of how many duplicates of the same file were
DC
quarantined. A rapidly increasing number can indicate a virus outbreak.
Time to live in the format hh:mm. When the TTL elapses, the Fortinet
unit labels the file as EXP under the TTL heading. In the case of
TTL duplicate files, each duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Y indicates the file has been uploaded to Fortinet for analysis, N
Upload status indicates the file has not been uploaded.
This option is available only if the Fortinet unit has a local hard disk.
Select to download the corresponding file in its original format.
Download
This option is available only if the Fortinet unit has a local hard disk.
Select to upload a suspicious file to Fortinet for analysis.
Submit
This option is available only if the Fortinet unit has a local hard disk.
4 To close the table, select the arrow beside Detailed Information and then select
Hidden.
5 To view the next log message from the table, use your keyboard’s up and down
arrows, or select the next log message row.
6 To view the log table at the right side of the page, select the arrow beside Detailed
Information and then select On Right.
3 In the Show these fields in this order, remove each of the following by selecting the
column name and then using the <- arrow:
• Message
• Date
• Time
4 Select OK.
5 Select Filter Settings.
6 In Filters, select Add new filter.
7 In the Field drop-down list, select UTM (type), and in UTM Type, select Application
Control and use the -> arrow to move it to the other column.
8 Select Add new filter.
9 In the Field drop-down list, select Src, enter 10.10.10.1 in the field and then select the
check box beside NOT.
10 Select OK.
The FortiGate unit currently does not support SSL/TLS connections with email servers,
for example, Gmail. You must use an SMTP server that does not need an SSL/TLS
connection.
Interval Time Enter the minimum time interval between consecutive alert
(1-9999 minutes) emails. Use this to rate-limit the volume of alert emails.
Select if you require an alert email message based on
Intrusion detected
attempted intrusion detection.
Select if you require an alert email message based on virus
Virus detected
detection.
Web access Select if you require an alert email message based on
blocked blocked web sites that were accessed.
Select if you require an alert email message based on HA
HA status changes
status changes.
Violation traffic Select if you require an alert email message based on
detected violated traffic that is detected by the Fortinet unit.
Firewall Select if you require an alert email message based on
authentication firewall authentication failures.
failure
SSL VPN login Select if you require an alert email message based on any
failure SSL VPN logins that failed.
Administrator Select if you require an alert email message based on
login/logout whether administrators log in or out.
Select if you require an alert email message based on
IPSec tunnel errors
whether there is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE Select if you require an alert email message based on
errors errors that occurred in L2TP, PPTP, or PPPoE.
Configuration Select if you require a1n alert email message based on any
changes changes made to the FortiGate configuration.
FortiGuard license Enter the number of days before the FortiGuard license
expiry time (1-100 expiry time notification is sent.
days)
Disk usage (1-99%) Enter a number for the disk usage threshold, in percent.
FortiGuard log Select if you require an alert email message based on the
quota usage FortiGuard Analysis server log disk quota getting full.
7 Select Apply.
The default minimum log severity level is Alert. If the FortiGate unit collects more than
one log message before an interval is reached, the Fortinet unit combines the messages
and sends out one alert email.
If you have configured FortiGate system memory as your log device, logging alert email
notifications for FortiGuard license expiry requires you to enable event and admin in the
log memory filter command. Use the following procedure when you want to log this event
and if your log device is system memory. If you have enabled system memory on a
FortiGate unit that has a local disk, you do not have to use the following procedure.
All other log devices, including the FortiGate unit’s local disk, log alert messages by
default. You can find the alert email logs within the event-system log file.
The log messages occur within a given time, and indicate that the units within the cluster
are not aware of each other anymore. These log messages provide the information you
need to fix the problem.
How to use log messages to help verify settings and for testing
purposes
You can use log message to verify settings, as well as for testing connections. The
following are examples that explain various situations where you can use log message to
verify settings within a feature, and also for testing purposes.
Both these log messages indicate that the scan discovered two separate service-
detection events.
2011-04-05 13:34:31 log_id=4100 type=netscan subtype=discovery
pri=notice vd=root action=service-detection ip=10.10.20.3
service=microsoft-ds proto=tcp prot=445
Using diag log test to verify logs are sent to a log device
After setting up a log device, you may want to verify that everything is working properly,
including sending of logs to the log device. The diag log test command is used to create
various test logs.
diag log test
The command can also be used when a Syslog server is not receiving certain logs. When
the command is entered in the CLI, an output similar to the following appears below the
line:
generating a system event message with level – warning
generating an infected virus message with level – warning
generating a blocked virus message with level – warning
generating a URL block message with level – warning
generating a DLP message with level – warning
generating an attack detection message with level – warning
generating an application control IM message with level –
information
generating an antispam message with level – notification
generating an allowed traffic message with level – notice
generating a wanopt traffic log message with level – notification
generating a HA event message with level – warning
generating netscan log messages with level – notice
generating a VOIP event message with level – information
generating authentication event messages
These log messages can be viewed from the Log Access menu. The following is a test
log message that may be generated and recorded by the FortiGate unit. It is shown as it
would be displayed in Raw format in system memory.
2011-08-10 09:34:22 log_id=0508020480 type=emailfilter
subtype=smtp pri=notice policyid=12345 identidx=67890 serial=312
user=“user” group=“group” vd=”root” src=1.1.1.1 sport=2560
src_port=2560 src_int=”lo” dst=2.2.2.2 dport=5120 dst_port=5120
dst_int=“eth0” service=mm1 carrier_ep=“carrier endpoint”
profile=“N/A” profilegroup=“N/A” profiletype=“N/A” status=detected
from=“from@xxx.com” to=“to@xxx.com” tracker=“Tracker”
msg=“SpamEmail”
Reports
Reports provide a way to analyze log data without manually going through a large
amount of logs to get to the information you need. This section explains how to configure
a FortiOS report and how to modify the existing default FortiOS UTM report. The FortiOS
default UTM report is a report that gathers UTM activity information and compiles it into a
report. This section also explains how to view these reports.
The following topics are included in this section:
• FortiOS reports
• Configuring a FortiOS report
• Viewing reports
You can only configure reports if the FortiGate unit has a hard disk and SQL logging is
enabled.
Configuring reports from other log devices, such as a Syslog server, are not supported.
If you want to configure a report from logs stored on a FortiAnalyzer unit, you must go
directly to the FortiAnalyzer unit itself; starting in FortiOS 4.0 MR3, support for
configuring a FortiAnalyzer schedule is no longer available.
From FortiOS 4.0 MR3 and onward, executive summary reports are no longer supported
and existing summary reports are not carried forward.
FortiOS reports
Reports provide a clear, concise overview of what is happening on your network based
on log data, without manually going through large amounts of logs. Reports can be
configured on a FortiGate unit or a FortiAnalyzer unit. However, in this document only
FortiOS reports are explained. FortiOS reports are the reports that are generated on the
FortiGate unit. FortiAnalyzer reports are configured on a FortiAnalyzer unit and for
information about those reports, see the FortiAnalyzer Administration Guide.
FortiOS reports are configured from logs stored on the FortiGate unit’s hard drive. These
reports, generated by the FortiGate unit itself, provide a central location for both
configuring and generating reports. A default FortiOS report, called the FortiGate UTM
Daily Activity Report, is available for you to modify to your requirements. The default
report provides a way to quickly and easily set up your own report from within the web-
based manager. The default FortiOS report is a report that compiles UTM activity from
various UTM-related logs, such as virus and attack logs.
FortiOS reports consist of multiple parts, regardless of whether its the default FortiOS
report or a report that you have configured from scratch, and these parts are configured
separately and added to the layout. These parts of a FortiOS report are:
• charts (including datasets within the charts themselves)
• themes (including styles which are within the themes themselves)
• images
• layout
Charts are used to display the log information in a clear and concise way using graphs
and tables. Charts contain datasets, which are SQLite queries and help the FortiGate unit
to add specific log information into the chart using the log information that is stored in the
SQLite database on the local hard disk. If you want to configure a chart, you must
configure the dataset first. Datasets are required for each chart, and if there is no dataset
included in a chart, the chart will not be saved.
Themes provide a one-step style application for report layouts. Themes contain various
styles, including styles for the table of contents, headings, headers and footers, as well
as the margins of the report’s pages. Themes are applied to layouts. The styles that are
applied to themes are configured separately.
You can easily upload your company or organization’s logo to use within a report. By
uploading your company or organization’s logo and applying it to a report, you provide a
personalized report that is recognizable as your company or organization’s report. The
image must be in JPEG, JPG or PNG format.
Layouts provide a way to incorporate the charts, images, and themes that are configured
to create a formatted report. A layout is used as a template by the FortiGate unit to
compile and then generate the report.
You can reset the reports you have configured, as well as the default FortiOS report you
modified, to default settings. When you reset reports to default settings, any configured
reports that you created from scratch are lost. The execute report-config reset
command resets the reports to default settings. If you are going to reset the reports to
their default settings, you should back up the current configuration file before doing so, in
the event you want to revert back to the reports you previously created and/or modified.
You can only configure reports if the FortiGate unit has a hard disk and SQL logging is
enabled.
• VPN Usage
Each submenu is a page of the default FortiOS report. For example, the Bandwidth and
Application Usage is the page in the report that contains information regarding bandwidth
usage for WAN Opt and web cache, as well as application usage. These pages can be
removed or modified, or new pages added by selecting Options. This allows you to
configure when the report will be generated, whether it will include a table of contents,
and whether to add or removed a page from the layout. When you add a new page to the
layout, it becomes a submenu in Log&Report > Report Access.
Each page can be modified to suite your requirements for a default report, or removed.
You can also add pages to the report. Adding or removing pages is done by selecting
Options in Edit mode. The Edit mode allows you to modify the default report. The View
mode is the mode when you first access the pages, and when you are viewing the saved
changes to the default report.
The FortiOS default report contains information about the FortiGate unit in two text
boxes, one on the cover page and one as an appendix that comes at the end of the
generated report. The appendix is located in the VPN Usage page.
After generating a report, you can view it from the Historical Reports page by selecting
Historical Reports. You must be in View mode to view generated reports.
Example for creating a new default report from the existing default report
The following is an example of how to create a new default from the existing FortiOS
default report. The new default report will be generated on a daily basis, and include only
email activity information and application usage.
To configure email addresses and enable sending the report attached in an email
1 In the Report Options window, select the check box beside Email Generated Reports.
The Email Recipients table appears.
2 Select within the table below the title Add Email Recipient; the blinking cursor
appears, allowing you to enter the first email address.
3 Enter the first email address.
4 On your keyboard, press Enter to add another row so that you can add another email
address.
5 Repeat steps 2 to 4 until all email addresses are included.
6 Select OK to save the email addresses.
The following adds the charts and text to the Emails page in Log&Report > Report
Access > Emails.
To modify the information in the Email, Traffic and Application Usage page
1 Go to Log&Report > Report Access > Application Usage.
2 On the page, select Edit.
3 Remove the bandwidth usage information from the page.
This is done by moving your mouse over the top right-hand corner of a text box and
then selecting the red x that appears.
4 Go to Log&Report > Report Access > Traffic Usage.
5 In Text, (located in the right-hand pane of the page), drag H1 icon onto the page.
A text box appears.
6 Enter the chart heading’s name in the text box, Top Users By Bandwidth.
The heading style automatically configures for you as you type.
7 In Text, drag T icon onto the page.
The T icon allows you to enter sentences or phrases in a normal font style, with a
smaller font size than is available with H1 or H2.
8 Enter the following in the text box: The top users by bandwidth for today.
9 In Chart (located in the right-hand pane of the page), drag the bar chart onto the page.
The Chart Chooser window appears.
10 Select Traffic in the right-hand column, and then select traffic.bandwidth.user; select
OK to put the chart on the page.
11 Repeat steps 5 to 10 to add each of the following charts with a description of each
chart, to the page:
• traffic.sessions.app_cats
• traffic.sessions.users
• traffic.bandwith.users
• traffic.bandwith.app_cats
12 Select Save to save the current changes.
The following assumes that you are still editing the report. You will be configuring when
the FortiGate unit generates the default report as well as including a table of contents.
Configuring datasets
You must configure datasets because they are required when configuring a chart. You
can use the default datasets that are available when configuring a chart. Datasets require
knowledge of SQL because the logs are stored in an SQLite database. You can view the
SQLite schema using the get report database schema CLI command syntax.
If you are creating a chart from scratch, you must create a dataset for that chart. The
chart cannot be configured without a dataset.
Configuring themes
When you are configuring a layout for a report, you can also add a theme. A theme is a
group of settings that create the general style of a report. For example, the styles that are
applied to the table of contents section of the report. Themes are configured only in the
CLI.
You may want to configure your own styles for a theme, such as the type of alignment for
the text. Styles are configured within the CLI, and you can also customize the default
styles as well.
Use the following procedure to configure a theme for a report, which can then be applied
to a report’s layout.
Configuring styles
You can customize the default styles or create your own styles for reports. There are
default styles and summary styles to choose from. Default styles use a default style
scheme, and the summary styles are for summary reports that contain one or two pages
with a small graph or table.
Charts
Charts are used to display the log information in a clear and concise way using a graph.
The information for charts is gathered from the log tables in the SQLite database.
When you need to find information about a default chart or a chart that was created from
scratch you can use the get command in the following way.
config report chart
edit <chart_name>
get
The information that displays is similar to the following:
name: web.allowed-request.sites.user
policy: 0
type: graph
period: last7d
drill-down-chart: (null)
comments: (null)
dataset: web.allowed-request.sites.user
category: webfilter
favorite: no
graphy-type: bar
style: auto
dimension: 3D
x-series
caption: (null)
databind: field(1)
is-category: yes
label-angle: 45-degree
unit: (null)
y-series
caption: Requests
databind: field(2)
extra-y: disable
group: (null)
label-angle: horizontal
unit: (null)
title: Top Allowed Web Sites for User by Request
legend: enable
This information provides what the time period of the chart is, the title that will display for
that chart (in the example, title is Top Allowed Web Sites for User by Request),
as well as the dataset that is included with the chart. The chart may also include a
drill-down chart to be used in a HTML report, where you can view additional detailed
information. This is the same drill-down feature that is available in most monitoring
pages, such as in Log&Report > Monitor > Logging Monitor, where you select a bar on a
specific day and view the activity of each log type that was recorded.
When you need to view information about a dataset, as well as what log table is used to
gather that information, you can use the get command in the following way:
config report dataset
edit <dataset_name>
get
The information that displays is similar to the following:
name: appcrtl.Count.Bandwidth.Top10.Apps
policy: 0
query: select (timestampe-timestamp%3600) as hourstamp, (CASE
WHEN app!=’N/A’ and app!=’ ‘ then app ELSE service END) as
appname, sum(sent+rcvd) as bandwidth from traffic_log where
timestamp between ###start_time### and ###end_time### and
(appname in (select (CASE WHEN app!=’N/A’ and app!=’N/A’ and
app!=’ ‘ then app END ELSE service END) as appname from
traffic_log where timestamp between ###start_time### and
###end_time### group by appname order by sum(sent+rcvd) desc
limit 10)) group by hourstamp, appname order by hourstamp
desc field
In the example output, you can see that the log table used to gather the information is
from the traffic log table indicated by the from traffic_log in the query statement.
Charts that are used in reports do not have “last24h” in the name, however, these charts
are carried forward and are not usually used in FortiOS 4.0 MR3 and higher.
Configuring a chart
The following explains how to configure a chart from scratch.
All pages, except for the Table of Contents page, can import an image.
Viewing reports
Generated reports are viewed from the Historical Reports page in Log&Report > Report
Access > Report.
Removes one, multiple or all reports from the list. If you select the
Delete check box in the check box column, you can remove all reports from
the list at one time.
The name of the report file, which includes the date and time.
Report File Note: To view a HTML report, select the name in this column. The
HTML report appears in a separate window.
The time when the report began generating. This format includes the
Started date and is displayed in this type of format, yyyy-mm-dd hh:mm:ss.
The hour is in the 24 hour format.
The time when the report stopped generating. This format includes the
Finished date and is displayed in this type of format, yyyy-mm-dd hh:mm:ss.
The hour is in the 24 hour format.
Size (bytes) The size of the report file, in bytes.
Displays PDF formatted generated reports. Select the format in this
Other Formats
column to view the report in PDF.
Report example
The following is an example of a report created from within the CLI. The type of report is
what is know as “a report created from scratch” because you are configuring the style,
theme, layout and if applicable, the datasets for charts. In the following report, no
datasets are configured.
To configure a theme
Enter the following to configure a theme:
config report theme
edit web-theme
set column-count 2
set default-pdf-style web-cover
set graph-chart-style web-chart
set page-orient landscape
set page-style web-pages
set table-chart-style web-chart
set toc-title-style web-toc-title
set toc-heading1-style web-toc-heading1
set toc-heading2-style web-toc-heading2
set toc-heading3-style web-toc-heading3
set heading1-style web-heading1
set heading2-style web-heading2
set heading3-style web-heading3
set page-footer-style web-footerheader
set page-header-style web-footerheader
set report-title-style web-cover
end
• web.blocked-request.web_cats
• web.bandwidth.sites.user
• web.bandwidth.stream-sites.user
• web.bandwidth.stream-sites
To configure layout
1 Log into the CLI.
2 Enter the following to configure the layout:
config report layout
edit web-activity-layout
set cutoff-option custom
set cutoff-time 04:50
set day monday
set description “Web activity report for the week of March
7”
set format pdf
set options include-table-of-contents
set style-theme web-theme
set subtitle “Web Activity Report”
set time 08:30
set title “Web Activity Report for March 7”
set email-send enable
Appendix
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from
the private IP address ranges defined in RFC 1918: Address Allocation for Private
Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
• IP addresses are made up of A.B.C.D
• A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
• Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
• 001 - 099- physical address ports, and non -virtual interfaces
• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
Linux PC
10.11.101.20
IN
10 T
.11
.10
FortiWiFi-80CM 1.1
01
Windows PC
10.11.101.10
Internal network 10
.11
.10 Po
1.1 rt 2
02
P P
10 ort 2 17 ort 1
.11 10 2.2 (s
.10 .11 0 . 1 n i ff
1.1 Switch .10 Po 20 er
FortiAnalyzer-100B 30 1.1 rt 2 FortiGate-82C .14 mo
00 1 de
)
10
.11
.10 Por
1.1 t 1
10 P
17 ort 1 )
2.2 d3
0.1 an
20
.14 rt s2
FortiGate-620B 1 f po
Po rt 8 r o
HA cluster
an rt 2 Po mirro
FortiMail-100C d3 (
rt 1
Po
Switch
H
ea
d
of
fic
e
P
10 ort 1
.21
.10
FortiGate-3810A 1.1
01
Linux PC 17
2.2
10.21.101.10 0.1
20 WAN
B
ra
.12 1
B
2
nc
ra
h
nc
of
h
fic
I
of
10 ntern
e
fic
.31 al
e
.10
FortiGate-51B 1.1
0 0
0
1. 16
rt 1 10
Po 0.21.
1
Windows PC
10.31.101.10
FortiManager-3000B
rt 4
Po .100
. 1 01
.2 2
10 Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
Engineering network
10.22.101.0
Information highlights
A Must Read item details things that are easily missed: configuration changes that only
apply to the current session, or services that need restarting before an update will apply.
Ignoring a box labeled 'Important' will not cause data loss but may cause irritation and
frustration.
A Troubleshooting tip provides information to help you track down why your
configuration is not working.
A Tip provides shortcuts or alternative approaches to the task at hand. Ignoring a tip
should have no negative consequences, but you might miss out on a trick that makes
your life easier.
Typographical conventions
Table 2: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text From Minimum log level, select Notification.
box, field, or check
box label
config system dns
CLI input set primary <address_ipv4>
end
FGT-602803030703 # get system settings
CLI output comments : (null)
opmode : nat
HTTP connections are not secure and can be intercepted by a
Emphasis
third party.
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
File content
<BODY><H4>You must authenticate to use this
service.</H4>
Visit the Fortinet Technical Support web site,
Hyperlink
https://support.fortinet.com.
Type a name for the remote VPN peer or client, such as
Keyboard entry
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
Most web-based manager numeric value fields make it easy to add the acceptable
number of digits within the allowed range. CLI help includes information about allowed
numeric value ranges. Both the web-based manager and the CLI prevent you from
entering invalid numbers.
Training
Fortinet Training Services offers courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
Visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or
email training@fortinet.com.
Technical Documentation
See the Fortinet Technical Documentation web site, http://docs.fortinet.com, for the most
up-to-date technical documentation.
The Fortinet Knowledge Base provides troubleshooting, how-to articles, examples,
FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at
http://kb.fortinet.com.
Index
A F
adding configuring defining, 27 file name
adding charts, reports, 69 quarantine files list, 48
alert email message, 51 filter
attack logging, 41 quarantine files list, 48
connecting using automatic discovery, FortiAnalyzer, 34 filtering and customizing log messages, 50
datasets for charts, reports, 63 FortiGuard
explanation of log messages, 11 Antispam, 7
FortiGuard license expiry alert email, 52 Antivirus, 7
importing images, reports, 70 FortiGuard Analysis server, 27
IPS packet logging, 44
FortiOS UTM default report, 60
log messages, 11
logging of events, 42
logging practices, 9 L
logging within a firewall policy, 42 log device
multiple FortiAnalyzer units, 30 selecting, 23
multiple syslog servers, 31 log message
nac quarantine, 45 viewing, 45
overview, sql, 17
log message, FortiGate, 9
styles, reports, 65
syslog server, 28 logging
system memory, 25 downloading quaranitne logs, 48
testing FortiAnalyzer configuration, 33 enabling reliable syslog, 29
themes, reports, 64 management practices, 14
viewing FortiOS reports, 70 viewing quarantine logs, 47
webtrends server, 29 logs, 40
antivirus, 40
application control, 39
C archives, DLP, 41
configuring attack, IPS, 40
alert email message, 51 data leak prevention, 39
multiple FortiAnalyzer units, 30 email filter, 41
multiple syslog servers, 31 event, 38
connecting using automatic discovery, FortiAnalyzer, 34 nac quarantine, 39
network scan, 41
D other traffic, 38
packet, 41
date traffic, 38
quarantine files list, 48
DC M
quarantine files list, 48
default mode
password, 7 operation, 7
downloading
quarantine logs, 48 O
operation mode, 7
E
examples P
configuring multiple FortiAnalyzer units, 32 password
report styles, 66 administrator, 7
reports, 71
sql statements, 18
Q sql tables, 18
status
quarantine files list quarantine files list, 48
apply, 48 status description
date, 48 quarantine files list, 48
DC, 48
file name, 48
filter, 48 T
service, 48 testing FortiAnalyzer configuration, 33
sorting, 47 troubleshooting
status, 48 alert email test issues, examples, 56
status description, 48 ha log message indicate lost neighbor information, 55
TTL, 48 troubleshooting sql statements, 20
upload status, 48
TTL
quarantine logs, 47 quarantine files list, 48
R U
recording log messages, 9 upload status
reliable syslog, 29 quarantine files list, 48
reports
adding charts to report layout, 69 V
configuring datasets, 63
example, FortiOS UTM default report, 61 verify settings and testing purposes
FortiOS UTM default report, 60 FortiGuard license expiry, 57
importing images, 70 logs sent to log device, 57
styles, reports, 65 network scan was performed, 56
themes, 64 viewing
quarantine logs, 47
S viewing FortiOS reports, 70
viewing log messages, quarantine files, 45
service
quarantine files list, 48 viewing reports
reports, viewing, 70
sorting
quarantine files list, 47
sql W
tables, 18 web filter, 40
sql statement examples, 18