Professional Documents
Culture Documents
2
Logging & Monitoring
3
Log Severity Levels
4
Log Storage Locations
FortiCloud
Syslog SNMP
Hard drive
Memory FortiAnalyzer
FortiManager
Local logging
Remote logging
5
Storage: FortiAnalyzer/FortiManager
FortiGate
FortiAnalyzer/FortiManager
Register
6
FortiAnalyzer vs. FortiManager
7
FortiAnalyzer/FortiManager: Configuration
8
Storage: FortiCloud
• Subscription service
o Long term log storage & reporting o FortiGates include one month free trial
o Links to FortiCare user o See documentation
9
Types and Subtypes
• Traffic Log
• Forward (Traffic passed/blocked by Firewall policies)
• Local (Traffic aimed directly at, or created by the FortiGate
device)
• Invalid (Log messages about packets considered
invalid/malformed and dropped)
• Multicast (Log messages about Multicast traffic)
• Event Log
• System (System related events)
• User (Firewall authentication events)
• Router, VPN, WanOpt & Cache, Wifi
• Security Log
• By Security profile type (Antivirus, Web Filter, Intrusion
Protection, etc.)
• Section is not created by default
10
Structure and Behavior
11
Viewing Log Messages (GUI)
12
Which settings generate Logs
Log Security Events Enabled Security log events appear in Forward Traffic Log. Forward
Traffic Log generated for packets causing a security event.
Log all Sessions Disabled Forward Traffic Log generated for every single session.
Log all Sessions Enabled Security log events appear in Forward Traffic Log
Forward Traffic log generated for every single session
13
Viewing Log Messages (GUI): Adding Filters
14
Viewing Log Messages (Raw)
15
Viewing Log Messages (Raw): Header
o Log header
date=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=“root” filteridx=0
o Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0
user="user" group="group" srcip=1.1.1.1 srcport=2560
srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1"
service=mm1 …
16
Viewing Log Messages (Raw): Body
o Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other
proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0"
shapersentname="shaper sent name" shaperdropsentbyte=16843009
shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009
shaperperipname="perip name" shaperperipdropbyte=16843009
devtype="iPad" osname="linux" osversion="ver" unauthuser="user"
unauthusersource="none" collectedemail="mail"
mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01
17
Viewing Log Messages(CLI)
18
Monitoring logs
19
Alert Email
20
Alert Email: Configure
21
Alert Message Console
22
SNMP Monitoring
23
SNMP Monitoring: Configuring
24
Configuring Log Settings: GUI
25
Configuring Log Settings: CLI
• Config information (server IP, user name, etc.) specific to log location
o disk – Hard drive (Built in non-volatile flash on some models)
o fortianalyzer|fortianalyzer2|fortianalyzer3 – separate
FortiAnalyzers
o fortiguard- Forticloud
o memory – system memory (volatile)
o sysologd|syslogd2|syslogd3 – separate Syslog servers
o webtrends – Webtrends service
26
Configuring Log settings: Firewall Policy
27
Logging Resources
• The more logs that get generated, the more CPU memory and
disk storage space is required in order to process them
• UTM profiles create log events when traffic is detected
o Generally not a large source of logs
• Traffic logs happen if UTM is turned on or not
o Traffic logs also contain UTM event information and extra information for
troubleshooting
• Traffic logs can be abbreviated to free up firewall resources
28
Event Logging: Settings
29
Logging Monitor
30
Monitor
31
GUI Monitors
32
Status Page: Custom Widgets
33
Status Page: Custom Dashboards
34
Crash Logs
35
Review
36