Scribd
Upload
2 views

4_logging_and_monitoring

The document provides an overview of logging and monitoring features in FortiGate, including log types, severity levels, and storage options. It outlines how to configure log settings, enable logging on firewall policies, and manage logs through various methods such as filtering, downloading, and backing up. Additionally, it discusses the impact of logging on system performance and the use of FortiAnalyzer and FortiManager for log storage and management.

Uploaded by

Alvaro Alegre Gomez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

4_logging_and_monitoring

The document provides an overview of logging and monitoring features in FortiGate, including log types, severity levels, and storage options. It outlines how to configure log settings, enable logging on firewall policies, and manage logs through various methods such as filtering, downloading, and backing up. Additionally, it discusses the impact of logging on system performance and the use of FortiAnalyzer and FortiManager for log storage and management.

Uploaded by

Alvaro Alegre Gomez
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

FortiGate I

Logging and Monitoring

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: 5 May 2019
1
Objectives
• Describe log types and subtypes
• Describe log severity levels
• Describe log format (header and body)
• Identify log storage locations
• Configure log settings
• Configure remote logging
• Enable logging on firewall policies
• View, filter, download, and export logs
• Monitor your network
• Configure alert email
• Configure, run, and view reports

2
Logging and Monitoring

FortiGate • Monitor network and Internet


traffic volumes
• Diagnose problems
• Establish normal baselines to
recognize anomalies

3
Understanding Logs
Log Types and Subtypes

Traffic Event Security

Forward Endpoint Control Application Control


WAN optimization logs are
Local High Availability Antivirus found within traffic logs.

Sniffer System Data Leak Prevention (DLP)


GPRS Tunneling Protocol
User Anti-Spam (GTP) logs are now
handled separately from
Router Web Filter
default event logs.
VPN Intrusion Prevention System (IPS)
If no security logs exist, the
WAD Anomaly (DoS-policy) log menu item does not
appear under the Log &
Wireless WAF Report menu.

5
Security Events
• View security events in the Forward Traffic log under the Log Details
pane
o Less CPU intensive with fewer open files

6
Log Severity Levels

Levels Description

0 – Emergency System unstable

1 – Alert Immediate action required

2 – Critical Functionality affected

3 – Error Error exists that can affect functionality

4 – Warning Functionality could be affected

5 – Notification Information about normal events

6 – Information General system information

7
Log Message Layout
• Log header (similar in all logs)
o Type and subtype = name of log file o Level = severity level
date=2016-06-14 time=12:05:28 logid=0316013056 type=utm subtype=webfilter
eventtype=ftgd_blk level=warning vd=root

• Log body (varies by log type)


o policyid = Firewall policy applied to o srcip and dstip = Source and destination IP
session o action = Action by FortiGate
o hostname = URL or IP of host o msg = Reason for the action
policyid=1 sessionid=10879 user="" srcip=10.0.1.10 srcport=60952
srcintf="port3" dstip=52.84.14.233 dstport=80 dstintf="port1" proto=6
service="HTTP" hostname="miniclip.com" profile="default" action=blocked
reqtype=direct url="/favicon.ico" sentbyte=297 rcvdbyte=0 direction=outgoing
msg="URL belongs to a denied category in policy" method=domain cat=20
catdesc="Games" crscore=30 crlevel=high

8
Log Storage
Log Storage Locations

FortiCloud
Syslog SNMP
Hard drive
Memory FortiAnalyzer
FortiManager

Local logging Remote logging

10
FortiAnalyzer and FortiManager Log Storage

Register FortiGate

FortiAnalyzer/FortiManager

• FortiAnalyzer and FortiManager have a list of registered (allowed) devices


• FortiGate uses port 514 for log transmission
• Optionally, you can encrypt communications using SSL-secured OFTP

11
Comparing FortiAnalyzer and FortiManager
• FortiAnalyzer – Long term, dedicated storage of log data
o Log limit dependent on model
• FortiManager – Central management of multiple FortiGate
devices
o Can also store logs and generate reports, but has fixed amount per day that
is less than FortiAnalyzer

• FortiGate can store and upload log events or upload in real time
o Store and upload only available to FortiGates with internal hard drive

12
FortiCloud and Syslog Log Storage
FortiCloud Syslog

o Hosted, subscription-based service o Logging server


o Long term log storage and reporting o Central repository for networked
o Bound to Fortinet Support account devices
o FortiGate includes 1 month free trial • Consolidates logs

o See documentation for quotas

13
Configuring Log Settings
Which Settings Generate Logs
Policy Log Setting Security Profiles Behavior

Log Allowed Traffic = disabled Disabled No Forward Traffic or Security Logs


Log Allowed Traffic = disabled Enabled No Forward Traffic or Security Logs
Security Events = enabled Disabled No Forward Traffic or Security Logs
Security Events = enabled Enabled Security log events appear in Forward Traffic log and Security log. A
Forward Traffic log generates for packets causing a security event.
All Sessions = enabled Disabled A Forward Traffic log generates for every single session.
All Sessions = disabled Enabled Security log events appear in Forward Traffic log and Security log.
A Forward Traffic log generates for every single session

• Hardware acceleration affects logging


o Traffic offloaded to NP processors is not logged
• Can disable hardware acceleration
• Can enable NP packet logging (degrades NP performance)

15
Local Log Settings

• Log & Report > Log Settings


o Disk logging
• If disabled, FortiView logs are only
available in real-time
o Local reports
o Historical FortiView
• Requires disk logging
• Back up and restore local disk
logs from the CLI
# execute log backup <filename> Logs older than 7 days (default) are deleted from disk

16
Remote Logging Settings: FortiAnalyzer/FortiManager

• Can configure up to • Log & Report > Log Settings


three separate
FortiAnalyzer and
FortiManager devices
through the CLI
o Multiple
devices may be
needed for redundancy
o Generating and sending
logs requires
resources – # config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting
be aware! set status enable
set server x.x.x.x
end Commands not cumulative

17
Remote Logging Settings: FortiCloud
• Log & Report > Log Settings
o Must activate FortiCloud account first through the dashboard

18
Remote Logging Settings: Syslog
• Log & Report > Log
Settings
o Enable
and add
IP/FQDN of Syslog
• Ensure Syslog is
configured for logging
• Can configure up to
four remote Syslog # config log <syslogd | syslogd2 | syslogd3 | syslogd4>
servers from the CLI

19
Local Traffic and Event Logging Settings
• Log & Report > Log Settings
• Local traffic logs = traffic directly to and from FortiGate
o Disabled by default
• Event logs = system information generated by the FortiGate
device

20
GUI Preference Log Settings
• Log & Report > Log Settings
• Display logs from:
o Memory

o Disk

o FortiAnalyzer

• Can translate IPs to host names for convenience


o Can impact CPU usage and page responsiveness

21
Configuring Threat Weight
• Log & Report >
Threat Weight
• Set risk level values for
low, medium, high, and
critical
• Associate a threat
weight
• View detected threats
from FortiView >
Threats

22
Enabling Logging on Firewall Policies
• Firewall policy setting decides if a
log message is generated or not
o LogSettings only decides if and
where log is stored

Must enable logging on the


firewall policy!

23
Affect of Logging on Performance
• More Logs = More CPU + More Disk Space
• Security profiles log when matching criteria is met
• Traffic logs record every session
o Extra information for troubleshooting
Enable performance statistic
o Some UTM events too logging for remote logging
o More system intensive devices on FortiGate

# config system global


set sys-perf-log-interval <number from 0-15>
end

24
Viewing and Managing Logs
Viewing Log Messages (GUI)

Items in Log & Report


menu depend on Changed from Log
configuration as well as Settings page
incoming logs

26
Filter Settings
• Reduces the number of
log entries displayed
• Filters are per column;
more can be added
• Right-click the column
of a specific log for
quick filter options
o Filteroptions based on
log type and column

27
Quick Filters and Log Viewer Quarantine
• Right-click log to apply quick filters
• Option to quarantine
o Simplifies administration
• Quarantine Source
o Block
traffic from user (Source IP)
permanently or for a period of time
• Quarantine FortiClient
o Activates host quarantine
• Release user from Monitor > User
Quarantine

28
Viewing Logs Associated with a Firewall Policy
• Policy & Objects > IPv4 Policy
• Access log messages generated
by individual policies

29
Downloading Logs
• Log & Report

• Download debug logs


o System > Advanced

30
Backing Up Logs

• Three methods for backing up logs


(copying log files from database to
specified location):
o FTP

o TFTP

o USB

# execute backup disk alllogs usb

# execute backup disk log usb <log_type>

31

You might also like