You are on page 1of 13

Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Logging and Monitoring


Module 2

2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

Module Objectives

By the end of this module participants will be able to:


Define the storage location for log information
Enable logging for different FortiGate unit events
View and search logs
Monitor log activity
Understand RAW log output
Customize widgets on the dashboard

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Logging and Monitoring

Logging and monitoring are key


elements in maintaining devices
on the network
Monitor network and Internet traffic
Track down and pinpoint problems
Establish baselines

Logging Severity Levels

Administrators define the severity level at which the FortiGate unit


records log information
All messages at, or above, the minimum severity level will be logged
Emergency = System unstable
Alert = Immediate action required
Critical = Functionality affected
Error = Error exists that can affect functionality
Warning = Functionality could be affected
Notification = Info about normal events
Information = General system information (default)
Debug = Debug log messages

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Log Storage Locations

Memory and
Hard drive
Syslog SNMP

Local logging
Remote logging

Log Types and Subtypes

Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by FortiGate device)
Invalid (Packets considered invalid/malformed and dropped)
Event Log
System (System related events)
Router, VPN, User, WanOpt & Cache, Wifi
UTM Security Log
Antivirus, Web Filter, Intrusion Protection, etc.

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Log Structure and Behavior

Options for log behavior:


UTM consolidated into Forward Traffic log
UTM separated into individual logs
utm-incident-traffic-log
config sys global
set utm-incident-traffic-log [enable|disable]
end
If log allowed traffic is disabled on the policy, then a UTM event enabled traffic
logging for that session
Behavior is not configurable and only on, pre 5.0
Logs consolidated into Traffic Log is recommend for performance
Multiple individual log files are harder on CPU then one

Traffic Log Log Generation

utm-incident-
Log Traffic UTM Function Extended-utm Behavior
traffic-log
Enabled Disabled (traffic does not N/A N/A Traffic log generated by kernel (like
go to UTM) today). All new UTM fields empty.

Enabled Enabled (traffic goes to Disabled Either UTM Events generate logs in traffic log
UTM) All traffic through policy generates traffic
log
Disabled Enabled (traffic goes to Disabled Enabled UTM Events generate logs in traffic log
UTM) Only traffic that has a UTM even occur
generates traffic logs
Disabled Enabled (traffic goes to Disabled Disabled Only UTM events generates logs in the
UTM) traffic log (no other traffic logs)
Disabled Enabled (traffic goes to Enabled Enabled UTM Events generate logs in utm log
UTM) Only traffic that has a UTM even occur
generates traffic logs

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Viewing Log Messages

Log Viewer Filtering

Use Filter Settings to customize the display of log messages to


show specific information in log messages
Reduce the number of log entries that are displayed
Easily locate specific information

10

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Log Severity Level

Log severity level indicated in the level field of the log message

date=2012-09-10 time=13:00:30 logid=0100032001


type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"

information = normal event

11

Viewing Log Messages (Raw)

Fields in each log message are arranged into two groups:


Log header (common to all log messages)
date=2012-11-13 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root
Log body (varies per log entry type)
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

12

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Viewing Log Messages (Raw)

Log header
date=2012-08-30 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0
Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .

The type and subtype fields = log file that message is


recorded in (for example, UTM > Data Leak Prevention or
Traffic > Forward Traffic)

13

Viewing Log Messages (Raw)

Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"

policyid = id number of firewall policy matching the session

14

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Viewing Log Messages (Raw)

Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01

status = action taken by the FortiGate unit


15

Alert Email

Send notification to email address upon


detection of defined event
Identify SMTP server name
Configure at least one DNS server
Up to three recipients per mail server

16

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

SNMP

SNMP agent Fortinet MIB

Managed device SNMP manager

Traps received by agent sent to SNMP manager


Configure FortiGate unit interface for SNMP access
Compile and load Fortinet-supplied MIBs into SNMP
manager
Create SNMP communities to allow connection from
FortiGate unit to SNMP manager

17

Event Logging

18

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Event Log

19

Monitor

20

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Monitor

Monitor sub-menus found in GUI for all main function menus


User-friendly display of monitored information
View activity of a specific feature being monitored such as Firewall,
VPN, Router, Wi-Fi, etc.
UTM monitoring can be enabled via System > Admin > Settings

21

Monitor

Example: UTM Security Profiles Monitor


Includes all UTM features
AV Monitor
Recent and top virus activity
Web Monitor
Top blocked FortiGuard categories
Application Monitor
Most used applications

22

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Status Page Custom Widgets

Many widgets can have their settings altered to display different


information
The same widget can be added multiple times to the same dashboard showing
different information

23

Labs

Lab 1: Status Monitor and Event Log


Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options

(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring

24

01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Classroom Lab Topology

25

01-50000-0201-20130215-C