Beruflich Dokumente
Kultur Dokumente
2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Memory and
Hard drive
Syslog SNMP
Local logging
Remote logging
Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by FortiGate device)
Invalid (Packets considered invalid/malformed and dropped)
Event Log
System (System related events)
Router, VPN, User, WanOpt & Cache, Wifi
UTM Security Log
Antivirus, Web Filter, Intrusion Protection, etc.
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
utm-incident-
Log Traffic UTM Function Extended-utm Behavior
traffic-log
Enabled Disabled (traffic does not N/A N/A Traffic log generated by kernel (like
go to UTM) today). All new UTM fields empty.
Enabled Enabled (traffic goes to Disabled Either UTM Events generate logs in traffic log
UTM) All traffic through policy generates traffic
log
Disabled Enabled (traffic goes to Disabled Enabled UTM Events generate logs in traffic log
UTM) Only traffic that has a UTM even occur
generates traffic logs
Disabled Enabled (traffic goes to Disabled Disabled Only UTM events generates logs in the
UTM) traffic log (no other traffic logs)
Disabled Enabled (traffic goes to Enabled Enabled UTM Events generate logs in utm log
UTM) Only traffic that has a UTM even occur
generates traffic logs
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
10
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Log severity level indicated in the level field of the log message
11
12
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Log header
date=2012-08-30 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0
Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .
13
Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
14
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
Alert Email
16
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
SNMP
17
Event Logging
18
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Event Log
19
Monitor
20
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Monitor
21
Monitor
22
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
23
Labs
(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring
24
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
25
01-50000-0201-20130215-C