002loggingandmonitoring 140122071621 Phpapp02

Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Logging and Monitoring

Module 2
2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
By the end of this module participants will be able to:

Define the storage location for log information
Enable logging for different FortiGate unit events
View and search logs
Monitor log activity
Understand RAW log output
Customize widgets on the dashboard
01-50000-0201-20130215-C
Logging and Monitoring
Logging and monitoring are key

elements in maintaining devices
on the network
Monitor network and Internet traffic
Track down and pinpoint problems
Establish baselines
Logging Severity Levels
Administrators define the severity level at which the FortiGate unit

records log information
All messages at, or above, the minimum severity level will be logged
Emergency = System unstable
Alert = Immediate action required
Critical = Functionality affected
Error = Error exists that can affect functionality
Warning = Functionality could be affected
Notification = Info about normal events
Information = General system information (default)
Debug = Debug log messages
01-50000-0201-20130215-C
Log Storage Locations
Memory and
Hard drive
Syslog SNMP
Local logging
Remote logging
Log Types and Subtypes
Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by FortiGate device)
Invalid (Packets considered invalid/malformed and dropped)
Event Log
System (System related events)
Router, VPN, User, WanOpt & Cache, Wifi
UTM Security Log
Antivirus, Web Filter, Intrusion Protection, etc.
01-50000-0201-20130215-C
Log Structure and Behavior
Options for log behavior:

UTM consolidated into Forward Traffic log
UTM separated into individual logs
utm-incident-traffic-log
config sys global
set utm-incident-traffic-log [enable|disable]
end
If log allowed traffic is disabled on the policy, then a UTM event enabled traffic
logging for that session
Behavior is not configurable and only on, pre 5.0
Logs consolidated into Traffic Log is recommend for performance
Multiple individual log files are harder on CPU then one
Traffic Log Log Generation
utm-incident-
Log Traffic UTM Function Extended-utm Behavior
traffic-log
Enabled Disabled (traffic does not N/A N/A Traffic log generated by kernel (like
go to UTM) today). All new UTM fields empty.
Enabled Enabled (traffic goes to Disabled Either UTM Events generate logs in traffic log
UTM) All traffic through policy generates traffic
log
Disabled Enabled (traffic goes to Disabled Enabled UTM Events generate logs in traffic log
UTM) Only traffic that has a UTM even occur
generates traffic logs
Disabled Enabled (traffic goes to Disabled Disabled Only UTM events generates logs in the
UTM) traffic log (no other traffic logs)
Disabled Enabled (traffic goes to Enabled Enabled UTM Events generate logs in utm log
UTM) Only traffic that has a UTM even occur
generates traffic logs
01-50000-0201-20130215-C
Viewing Log Messages
Log Viewer Filtering
Use Filter Settings to customize the display of log messages to

show specific information in log messages
Reduce the number of log entries that are displayed
Easily locate specific information
10
01-50000-0201-20130215-C
Log Severity Level
Log severity level indicated in the level field of the log message
date=2012-09-10 time=13:00:30 logid=0100032001

type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"
information = normal event
11
Viewing Log Messages (Raw)
Fields in each log message are arranged into two groups:

Log header (common to all log messages)
date=2012-11-13 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root
Log body (varies per log entry type)
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
12
01-50000-0201-20130215-C
Log header
date=2012-08-30 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0
Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .
The type and subtype fields = log file that message is

recorded in (for example, UTM > Data Leak Prevention or
Traffic > Forward Traffic)
13
Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
policyid = id number of firewall policy matching the session
14
01-50000-0201-20130215-C
Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
status = action taken by the FortiGate unit

15
Alert Email
Send notification to email address upon

detection of defined event
Identify SMTP server name
Configure at least one DNS server
Up to three recipients per mail server
16
01-50000-0201-20130215-C
SNMP
SNMP agent Fortinet MIB
Managed device SNMP manager
Traps received by agent sent to SNMP manager

Configure FortiGate unit interface for SNMP access
Compile and load Fortinet-supplied MIBs into SNMP
manager
Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
17
Event Logging
18
01-50000-0201-20130215-C
Event Log
19
Monitor
20
01-50000-0201-20130215-C
Monitor
Monitor sub-menus found in GUI for all main function menus

User-friendly display of monitored information
View activity of a specific feature being monitored such as Firewall,
VPN, Router, Wi-Fi, etc.
UTM monitoring can be enabled via System > Admin > Settings
21
Monitor
Example: UTM Security Profiles Monitor

Includes all UTM features
AV Monitor
Recent and top virus activity
Web Monitor
Top blocked FortiGuard categories
Application Monitor
Most used applications

22
01-50000-0201-20130215-C
Status Page Custom Widgets
Many widgets can have their settings altered to display different

information
The same widget can be added multiple times to the same dashboard showing
different information
23
Labs
Lab 1: Status Monitor and Event Log

Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options
(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring
24
01-50000-0201-20130215-C
Classroom Lab Topology
25
01-50000-0201-20130215-C

002loggingandmonitoring 140122071621 Phpapp02

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

002loggingandmonitoring 140122071621 Phpapp02

Hochgeladen von

Copyright:

Verfügbare Formate

Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

Logging and Monitoring

By the end of this module participants will be able to:

Logging and Monitoring

Logging and monitoring are key

Logging Severity Levels

Administrators define the severity level at which the FortiGate unit

Log Storage Locations

Log Types and Subtypes

Log Structure and Behavior

Options for log behavior:

Traffic Log Log Generation

Viewing Log Messages

Log Viewer Filtering

Use Filter Settings to customize the display of log messages to

Log Severity Level

date=2012-09-10 time=13:00:30 logid=0100032001

information = normal event

Viewing Log Messages (Raw)

Fields in each log message are arranged into two groups:

Viewing Log Messages (Raw)

The type and subtype fields = log file that message is

Viewing Log Messages (Raw)

policyid = id number of firewall policy matching the session

Viewing Log Messages (Raw)

status = action taken by the FortiGate unit

Send notification to email address upon

SNMP agent Fortinet MIB

Managed device SNMP manager

Traps received by agent sent to SNMP manager

Monitor sub-menus found in GUI for all main function menus

Example: UTM Security Profiles Monitor

Status Page Custom Widgets

Many widgets can have their settings altered to display different

Lab 1: Status Monitor and Event Log

Classroom Lab Topology

Das könnte Ihnen auch gefallen