logging and monitoring. module objectives by the end of this module participants will be able to:...
TRANSCRIPT
![Page 1: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/1.jpg)
Logging and Monitoring
![Page 2: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module participants will be able to:• Identify the severity levels assigned to logs
• Define the storage location for log information
• Enable logging for different FortiGate unit events
• View and search logs
• Configure content archiving
• Generate reports from stored log information
![Page 3: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/3.jpg)
Logging and Monitoring
![Page 4: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/4.jpg)
Logging and Monitoring
• Logging and monitoring are key elements in maintaining devices on the network• Monitor network and Internet traffic
• Track down and pinpoint problems
• Establish baselines
![Page 5: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/5.jpg)
Logging Severity Levels
Emergency
Alert
Critical
Error
Warning
Notification
InformationDebug
Click here to read more about logging levels
![Page 6: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/6.jpg)
Logging Severity Levels
Emergency
Alert
Critical
Error
Warning
Notification
Information
Debug• Administrators define the severity level at which the FortiGate unit records log information• All messages at, or above, the minimum severity level will be logged• Emergency = System unstable• Alert= Immediate action required• Critical = Functionality affected• Error = Error exists that can affect functionality• Warning = Functionality could be affected• Notification = Info about normal events• Information = General system information• Debug = Debug log messages
Click here to read more about logging levels
![Page 7: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/7.jpg)
Log Severity Level
2010-01-11 14:23:37 log_id=0104032126 type=event subtype=admin pri=notification vd=root user=admin ui=GUI(192.168.96.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192.168.96.1)"
• Log severity level indicated in the pri field of the log message
notification = normal event
![Page 8: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/8.jpg)
Deleting Logs
•Delete all local logs, log archives, and user configured report templates using this commandexec log-report reset
• Also restores default UTM activity report if it has been modified
![Page 9: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/9.jpg)
Log Storage Locations
Syslog SNMP
Local loggingRemote logging
Click here to read more about log storage locations
![Page 10: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/10.jpg)
Log Types
Event logs
Traffic logs
Attack logs
Antivirus logs
Web filter logs
Email filter logs
DLP logs
Application control logs
Network scan logs
Click here to read more about log types
UT
M l
og
s
![Page 11: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/11.jpg)
Viewing Log Messages in Web Config
![Page 12: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/12.jpg)
Log Viewer Filtering
•Use Filter Settings to customize the display of log messages to show specific information in log messages• Reduce the number of log entries that are displayed
• Easily locate specific information
![Page 13: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/13.jpg)
Log Viewer Filtering
• Example: View only UTM log messages recorded between 4:00 and 5:00 pm
![Page 14: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/14.jpg)
Download Raw Logs
• Raw logs can be downloaded, including archived log messages• Raw log file is downloaded to the management computer and saved as a text file• Can be viewed in a text editor such as Notepad
• Log file name format:<log name><number>.log (for example: elog0101.log)
![Page 15: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/15.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
![Page 16: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/16.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
The type and subtype fields = log file that message is recorded in (for example, data leak prevention)
![Page 17: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/17.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
policyid = id number of firewall policy matching the session
![Page 18: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/18.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
Each message has a unit a unique log id number that helps to identify them
![Page 19: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/19.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
status = action taken by the FortiGate unit
![Page 20: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/20.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
msg = activity that was recorded, for example, DLP detected (matched the rule called All-HTTP in the DLP sensor)
![Page 21: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/21.jpg)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
action = how FortiGate unit deals with the activity, for example, log the event only
![Page 22: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/22.jpg)
SQL Logging
• SQL database feature enabled by default on FortiGate devices with an internal hard disk (51B, 60C, 81C, 111C, 200B, 311B, 621B) or a removeable hard disk• If upgrading from older firmware versions, a pop-up
dialog is presented to the administrator on first login• “To enable SQL and convert any existing logs to SQL
format, please click Go”
• Or click “Remind me later”
![Page 23: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/23.jpg)
Unified UTM Log Access
• Central location for all UTM messages (antivirus, DLP, application control, email filter etc.)•UTM Type indicates which UTM feature logged the message
![Page 24: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/24.jpg)
Unified UTM Log Access
• Example: DLP log message
![Page 25: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/25.jpg)
Logging to a FortiAnalyzer Device
Register
Click here to read more about logging to a FortiAnalyzer device
![Page 26: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/26.jpg)
Logging to a FortiAnalyzer Device
Register
Click here to read more about logging to a FortiAnalyzer device
• Fortinet Discovery Protocol (FDP) used to locate FortiAnalyzer device• FortiGate unit registers with FortiAnalyzer device• SSL-secured OFTP used to encrypt communications between FortiGate and FortiAnalyzer devicesconfig log fortianalyzer setting set enc-algorithm
![Page 27: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/27.jpg)
Logging to a FortiAnalyzer Device
• Real-time upload of logs to the FortiAnalyzer device is disabled by default on FortiGate devices with a hard drive. To enable:config log fortianalyzer setting
set status enable set server <FAZ_IP_Address> set enc-algorithm disable
set upload-option realtime (default is “store-and-upload”) • CLI or Web Config can be used to configure the settings for
uploading logs to FortiAnalyzer or FortiGuard Analytics Service config log request-fgt upload [set|get]
• Logging Buffer rate setting (20 to 20,000) in CLI only • Upload Time Period setting only available in Web Config after it is configured in the CLI (daily, weekly or monthly)
![Page 28: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/28.jpg)
Store-and-Upload
•Default FortiGuard Analytics Service/FortiAnalyzer logging behavior for models with a hard drive• Daily, weekly or monthly upload option
• Log event created for each upload action
• Hard-coded thresholds for auto upload when the hard drive maximum quota is reached • If 70% capacity >> THEN upload 20% of oldest logs
• FortiGate models without a hard drive will still send logs in real-time
![Page 29: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/29.jpg)
Device Registration
Unregistereddevice
?
Ignore connection
Allow connection but do not keep data
Allow connection and keep some data
Add as registered and keep data(DEFAULT)
![Page 30: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/30.jpg)
Logging to Multiple FortiAnalyzer Devices
FortiAnalyzer1 FortiAnalyzer2 FortiAnalyzer3
Eventlogs
Web filterlogs
Trafficlogs
![Page 31: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/31.jpg)
Uploading Logs to FTP Server
• Text format allows for easier viewing using text editors•Only available for FortiGate models with hard drives and only for uploading to a FTP serverset upload enable
set upload-destination ftp-server
set uploadip 172.16.120.154
set uploadport 443
set uploaduser test_user
set uploadpass 123456
set uploaddir C:\Logs_FGT
set uploadtype appctrl attack dlp event spamfilter traffic virus webfilter
set uploadzip enable
set uploadformat text
set uploadsched enable
set uploadtime 7
![Page 32: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/32.jpg)
Content Archiving
Archive
![Page 33: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/33.jpg)
Content Archiving
Archive
• Log and archive copies of content transmitted over the network• Summary archives• Metadata only
• Full archives• Summary and hyperlink to archived file
or message
• Enabled through Data Leak Prevention rules•When logging to multiple FortiAnalyzer units, DLP archives can be sent to both the second and third FortiAnalyzer units• Avoids any lost DLP archives
![Page 34: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/34.jpg)
Alert Email
![Page 35: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/35.jpg)
Alert Email
• Send notification to email address upon detection of defined event• Identify SMTP server name• Configure at least one DNS server•Up to three recipients per mail server
![Page 36: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/36.jpg)
SNMP
SNMP managerManaged device
SNMP agent Fortinet MIB
![Page 37: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/37.jpg)
SNMP
SNMP managerManaged device
SNMP agent Fortinet MIB
• Traps received by agent sent to SNMP manager• Configure FortiGate unit interface for SNMP access• Compile and load Fortinet-supplied MIBs into SNMP manager• Create SNMP communities to allow connection from FortiGate unit to SNMP manager
![Page 38: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/38.jpg)
Reporting
Report
![Page 39: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/39.jpg)
Reporting
•Default Report
![Page 40: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/40.jpg)
Reporting
• Report Editor
![Page 41: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/41.jpg)
Reporting
•Historical Reports
![Page 42: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/42.jpg)
Report Options
• Select Options in Report Editor
![Page 43: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/43.jpg)
Monitors
•Monitor sub-menus found in Web Config for all main function menus•User-friendly display of monitored information• View activity of a specific feature being monitored such as Firewall, UTM, VPN, Router, WiFi, Endpoint Security etc.
![Page 44: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/44.jpg)
Monitor
• Example: Firewall Monitor• Includes Session, Policy, Load Balance and Traffic
Shaper monitors
• Session: Current sessions on the network
• Policy: Firewall policy traffic occurring on the unit• Load Balance: List of individual server and real
servers• Traffic Shaper: Traffic shaper activity on the unit
![Page 45: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/45.jpg)
Labs
• Lab - Logging and Monitoring• Exploring Web Config Monitoring
• Customizing the System Dashboard
• Configuring Email Alerts
• Enabling Logging to a FortiAnalyzer Device
Click here for step-by-step instructions on completing this lab
![Page 46: Logging and Monitoring. Module Objectives By the end of this module participants will be able to: Identify the severity levels assigned to logs Define](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e195503460f94b06a57/html5/thumbnails/46.jpg)
Student Resources
Click here to view the list of resources used in this module