logging and monitoring. module objectives by the end of this module participants will be able to:...

Logging and Monitoring

Module Objectives

• By the end of this module participants will be able to:• Identify the severity levels assigned to logs

• Define the storage location for log information

• Enable logging for different FortiGate unit events

• View and search logs

• Configure content archiving

• Generate reports from stored log information


• Logging and monitoring are key elements in maintaining devices on the network• Monitor network and Internet traffic

• Track down and pinpoint problems

• Establish baselines

Logging Severity Levels

Emergency

Alert

Critical

Error

Warning

Notification

InformationDebug

Click here to read more about logging levels

Logging Severity Levels

Emergency

Alert

Critical

Error

Warning

Notification

Information

Debug• Administrators define the severity level at which the FortiGate unit records log information• All messages at, or above, the minimum severity level will be logged• Emergency = System unstable• Alert= Immediate action required• Critical = Functionality affected• Error = Error exists that can affect functionality• Warning = Functionality could be affected• Notification = Info about normal events• Information = General system information• Debug = Debug log messages

Click here to read more about logging levels

Log Severity Level

2010-01-11 14:23:37 log_id=0104032126 type=event subtype=admin pri=notification vd=root user=admin ui=GUI(192.168.96.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192.168.96.1)"

• Log severity level indicated in the pri field of the log message

notification = normal event

Deleting Logs

•Delete all local logs, log archives, and user configured report templates using this commandexec log-report reset

• Also restores default UTM activity report if it has been modified

Log Storage Locations

Syslog SNMP

Local loggingRemote logging

Click here to read more about log storage locations

Log Types

Event logs

Traffic logs

Attack logs

Antivirus logs

Web filter logs

Email filter logs

DLP logs

Application control logs

Network scan logs

Click here to read more about log types

UT

M l

og

s

Viewing Log Messages in Web Config

Log Viewer Filtering

•Use Filter Settings to customize the display of log messages to show specific information in log messages• Reduce the number of log entries that are displayed

• Easily locate specific information

Log Viewer Filtering

• Example: View only UTM log messages recorded between 4:00 and 5:00 pm

Download Raw Logs

• Raw logs can be downloaded, including archived log messages• Raw log file is downloaded to the management computer and saved as a text file• Can be viewed in a text editor such as Notepad

• Log file name format:<log name><number>.log (for example: elog0101.log)

Viewing Log Messages (Raw)

• Fields in each log message are arranged into two groups:• Log header

2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root

• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/

”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1






The type and subtype fields = log file that message is recorded in (for example, data leak prevention)






policyid = id number of firewall policy matching the session






Each message has a unit a unique log id number that helps to identify them






status = action taken by the FortiGate unit






msg = activity that was recorded, for example, DLP detected (matched the rule called All-HTTP in the DLP sensor)






action = how FortiGate unit deals with the activity, for example, log the event only

SQL Logging

• SQL database feature enabled by default on FortiGate devices with an internal hard disk (51B, 60C, 81C, 111C, 200B, 311B, 621B) or a removeable hard disk• If upgrading from older firmware versions, a pop-up

dialog is presented to the administrator on first login• “To enable SQL and convert any existing logs to SQL

format, please click Go”

• Or click “Remind me later”

Unified UTM Log Access

• Central location for all UTM messages (antivirus, DLP, application control, email filter etc.)•UTM Type indicates which UTM feature logged the message

Unified UTM Log Access

• Example: DLP log message

Logging to a FortiAnalyzer Device

Register

Click here to read more about logging to a FortiAnalyzer device


Register

Click here to read more about logging to a FortiAnalyzer device

• Fortinet Discovery Protocol (FDP) used to locate FortiAnalyzer device• FortiGate unit registers with FortiAnalyzer device• SSL-secured OFTP used to encrypt communications between FortiGate and FortiAnalyzer devicesconfig log fortianalyzer setting set enc-algorithm


• Real-time upload of logs to the FortiAnalyzer device is disabled by default on FortiGate devices with a hard drive. To enable:config log fortianalyzer setting

set status enable set server <FAZ_IP_Address> set enc-algorithm disable

set upload-option realtime (default is “store-and-upload”) • CLI or Web Config can be used to configure the settings for

uploading logs to FortiAnalyzer or FortiGuard Analytics Service config log request-fgt upload [set|get]

• Logging Buffer rate setting (20 to 20,000) in CLI only • Upload Time Period setting only available in Web Config after it is configured in the CLI (daily, weekly or monthly)

Store-and-Upload

•Default FortiGuard Analytics Service/FortiAnalyzer logging behavior for models with a hard drive• Daily, weekly or monthly upload option

• Log event created for each upload action

• Hard-coded thresholds for auto upload when the hard drive maximum quota is reached • If 70% capacity >> THEN upload 20% of oldest logs

• FortiGate models without a hard drive will still send logs in real-time

Device Registration

Unregistereddevice

?

Ignore connection

Allow connection but do not keep data

Allow connection and keep some data

Add as registered and keep data(DEFAULT)

Logging to Multiple FortiAnalyzer Devices

FortiAnalyzer1 FortiAnalyzer2 FortiAnalyzer3

Eventlogs

Web filterlogs

Trafficlogs

Uploading Logs to FTP Server

• Text format allows for easier viewing using text editors•Only available for FortiGate models with hard drives and only for uploading to a FTP serverset upload enable

set upload-destination ftp-server

set uploadip 172.16.120.154

set uploadport 443

set uploaduser test_user

set uploadpass 123456

set uploaddir C:\Logs_FGT

set uploadtype appctrl attack dlp event spamfilter traffic virus webfilter

set uploadzip enable

set uploadformat text

set uploadsched enable

set uploadtime 7

Content Archiving

Archive

Content Archiving

Archive

• Log and archive copies of content transmitted over the network• Summary archives• Metadata only

• Full archives• Summary and hyperlink to archived file

or message

• Enabled through Data Leak Prevention rules•When logging to multiple FortiAnalyzer units, DLP archives can be sent to both the second and third FortiAnalyzer units• Avoids any lost DLP archives

Alert Email

Alert Email

• Send notification to email address upon detection of defined event• Identify SMTP server name• Configure at least one DNS server•Up to three recipients per mail server

SNMP

SNMP managerManaged device

SNMP agent Fortinet MIB

SNMP

SNMP managerManaged device

SNMP agent Fortinet MIB

• Traps received by agent sent to SNMP manager• Configure FortiGate unit interface for SNMP access• Compile and load Fortinet-supplied MIBs into SNMP manager• Create SNMP communities to allow connection from FortiGate unit to SNMP manager

Reporting

Report

Reporting

•Default Report

Reporting

• Report Editor

Reporting

•Historical Reports

Report Options

• Select Options in Report Editor

Monitors

•Monitor sub-menus found in Web Config for all main function menus•User-friendly display of monitored information• View activity of a specific feature being monitored such as Firewall, UTM, VPN, Router, WiFi, Endpoint Security etc.

Monitor

• Example: Firewall Monitor• Includes Session, Policy, Load Balance and Traffic

Shaper monitors

• Session: Current sessions on the network

• Policy: Firewall policy traffic occurring on the unit• Load Balance: List of individual server and real

servers• Traffic Shaper: Traffic shaper activity on the unit

Labs

• Lab - Logging and Monitoring• Exploring Web Config Monitoring

• Customizing the System Dashboard

• Configuring Email Alerts

• Enabling Logging to a FortiAnalyzer Device

Click here for step-by-step instructions on completing this lab

Student Resources

Click here to view the list of resources used in this module

logging and monitoring. module objectives by the end of this module participants will be able to:...

Documents