Monitoring

Monitoring

With network administration, the first step is installing and configuring the FortiGate unit to be the protector of the internal network. Once the system is running efficiently, the next step is to monitor the system and network traffic, making configuration changes as necessary when a threat or vulnerability is discovered.

This chapter discusses the various methods of monitoring both the FortiGate unit and the network traffic through a range of different tools available within FortiOS.

 

This section includes the topics:

  • Dashboard
  • sFlow
  • Monitor menus
  • Logging
  • Alert email
  • SNMP
  • SNMP get command syntax

 

Dashboard

The FortiOS dashboard provides a location to view real-time system information. By default, the dashboard displays the key statistics of the FortiGate unit itself, providing the memory and CPU status, as well as the health of the ports, whether they are up or down and their throughput.

 

Widgets

Within the dashboard is a number of smaller windows, called widgets, that provide this status information. Beyond what is visible by default, you can add a number of other widgets that display other key traffic information including application use, traffic per IP address, top attacks, traffic history and logging statistics.

You can add multiple dashboards to reflect what data you want to monitor, and add the widgets accordingly. Dashboard configuration is only available through the web-based manager. Administrators must have read and write privileges to customize and add widgets when in either menu. Administrators must have read privileges if they want to view the information.

 

To add a dashboard and widgets

1. Go to System > Dashboard > Status.

2. Select the Dashboard menu at the top of the window and select Add Dashboard.

3. Enter a name.

4. Select the Widget menu at the top of the window.

5. From the screen, select the type of information you want to add.

6. When done, select the X in the top right of the widget.

Dashboard widgets provide an excellent method to view real-time data about the events occurring on the

FortiGate unit and the network. For example, by adding the Network Protocol Usage widget, you can monitor the activity of various protocols over a selected span of time. Based on that information you can add or adjust traffic shaping and/or security policies to control traffic.

 

FortiClient software

The License Information widget includes information for the FortiClient connections. It displays the number of FortiClient connections allowed and the number of users connecting. By selecting the Details link for the number of connections, you can view more information about the connecting user, including IP address, user name, and type of operating system the user is connecting with.

Included with this information is a link for Mac and Windows. Selecting these links automatically downloads the FortiClient install file (.dmg or .exe) to the management computer.

 

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance and throughput. FortiOS implements sFlow version 5.

sFlow uses packet sampling to monitor network traffic. The sFlow Agent captures packet information at defined intervals and sends them to an sFlow Collector for analysis, providing real-time data analysis. The information sent is only a sampling of the data for minimal impact on network throughput and performance.

The sFlow Agent is embedded in the FortiGate unit. Once configured, the FortiGate unit sends sFlow datagrams of the sampled traffic to the sFlow Collector, also called an sFlow Analyzer. The sFlow Collector receives the datagrams, and provides real-time analysis and graphing to indicate where potential traffic issues are occurring. sFlow Collector software is available from a number of third party software vendors.

sFlow data captures only a sampling of network traffic, not all traffic like the traffic logs on the FortiGate unit. Sampling works by the sFlow Agent looking at traffic packets when they arrive on an interface. A decision is made whether the packet is dropped and allowed to be to its destination or if a copy is forwarded to the sFlow Collector. The sample used and its frequency are determined during configuration.

sFlow is not supported on virtual interfaces such as vdom link, ipsec, ssl.root or gre. The sFlow datagram sent to the Collector contains the information:

  • Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP)
  • Sample process parameters (rate, pool etc.)
  • Input/output ports
  • Priority (802.1p and TOS)
  • VLAN (802.1Q)
  • Source/destination prefix
  • Next hop address
  • Source AS, Source Peer AS
  • Destination AS Path
  • Communities, local preference
  • User IDs (TACACS/RADIUS) for source/destination
  • URL associated with source/destination
  • Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

sFlow agents can be added to any type of FortiGate interface. sFlow isn’t supported on some virtual interfaces such as VDOM link, IPsec, gre, and ssl.root.

For more information on sFlow, Collector software and sFlow MIBs, visit www.sflow.org.

 

Configuration

sFlow configuration is available only from the CLI. Configuration requires two steps: enabling the sFlow Agent and configuring the interface for the sampling information.

 

Enable sFlow

config system sflow

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>

end

 

The default port for sFlow is UDP 6343. To configure in VDOM, use the commands:

config system vdom-sflow set vdom-sflow enable

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>

end

 

Configure sFlow agents per interface.

config system interface edit <interface_name>

set sflow-sampler enable

set sample-rate <every_n_packets>

set sample-direction [tx | rx | both]

set polling-interval <seconds>

end

 

Monitor menus

The Monitor menus enable you to view session and policy information and other activity occurring on your FortiGate unit. The monitors provide the details of user activity, traffic and policy usage to show live activity. Monitors are available for DHCP, routing, security policies, traffic shaping, load balancing, security features, VPN, users, WiFi, and logging.

 

Logging

FortiOS provides a robust logging environment that enables you to monitor, store, and report traffic information and FortiGate events, including attempted log ins and hardware status. Depending on your requirements, you can log to a number of different hosts.

To configure logging in the web-based manager, go to Log & Report > Log Config > Log Settings. To configure logging in the CLI use the commands config log <log_location>.

For details on configuring logging see the Logging and Reporting Guide.

If you will be using several FortiGate units, you can also use a FortiAnalyzer unit for logging. For more information, see the FortiAnalyzer Administration Guide.

 

FortiCloud

The FortiCloud is a subscription-based hosted service. With this service, you can have centralized management, logging, and reporting capabilities available in FortiAnalyzer and FortiManager platforms, without any additional hardware to purchase, install or maintain. In most cases, FortiCloud is the recommended location for saving and viewing logs.

This service includes a full range of reporting, analysis and logging, firmware management and configuration revision history. It is hosted within the Fortinet global FortiGuard Network for maximum reliability and performance, and includes reporting, and drill-down analysis widgets makes it easy to develop custom views of network and security events.

The FortiGate unit sends log messages to the FortiCloud using TCP port 443. Configuration is available once a user account has been set up and confirmed. To enable the account on the FortiGate unit, go to System > Dashboard > Status, in the Licence Information widget select Activate, and enter the account ID.

For FortiCloud traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of the FortiCloud server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log fortiguard setting set status enable

set source-ip 192.168.4.5 end

From the FortiGate unit, you can configure the connection and sending of log messages to be sent over an SSL tunnel to ensure log messages are sent securely. To do this, use the CLI commands to enable the encrypted connection and define the level of encryption.

config log fortiguard setting set status enable

set enc-alogorithm {default | high | low | disable}

end

 

FortiGate memory

Logs are saved to the internal memory by default. Inexpensive yet volatile, for basic event logs or verifying traffic, AV or spam patterns, logging to memory is a simple option. However, because logs are stored in the limited space of the internal memory, only a small amount is available for logs. As such logs can fill up and be overridden with new entries, negating the use of recursive data. This is especially true for traffic logs. Also, should the FortiGate unit be shut down or rebooted, all log information will be lost.

 

FortiGate hard disk

For those FortiGate units with an internal hard disk or SDHC card, you can store logs to this location. Efficient and local, the hard disk provides a convenient storage location. If you choose to store logs in this manner, remember to backup the log data regularly.

Configure log disk settings is performed in the CLI using the commands:

config log disk setting

set status enable end

 

Further options are available when enabled to configure log file sizes, and uploading/backup events.

As well, note that the write speeds of hard disks compared to the logging of ongoing traffic may cause the dropping such, it is recommended that traffic logging be sent to a FortiAnalyzer or other device meant to handle large volumes of data.

 

Syslog server

An industry standard for collecting log messages, for off-site storage. In the web-based manager, you are able to send logs to a single syslog server, however in the CLI you can configure up to three syslog servers where you can also use multiple configuration options. For example, send traffic logs to one server, antivirus logs to another.

The FortiGate unit sends Syslog traffic over UDP port 514. Note that if a secure tunnel is configured for communication to a FortiAnalyzer unit, then Syslog traffic will be sent over an IPsec connection, using UPD 500/4500, Protocol IP/50.

To configure a Syslog server in the web-based manager, go to Log & Report > Log Config > Log Settings. In the CLI use the commands:

config log syslogd setting set status enable

set server <IP address or FQDN of syslog server>

end

 

Further options are available when enabled to configure a different port, facility and server IP address.

For Syslog traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a Syslog server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log syslogd setting set status enable

set source-ip 192.168.4.5 end

 

FortiAnalyzer

The FortiAnalyzer family of logging, analyzing, and reporting appliances securely aggregate log data from Fortinet devices and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, users can filter and review records, including traffic, event, virus, attack, Web content, and email data, mining the data to determine your security stance and assure regulatory compliance. FortiAnalyzer also provides advanced security management functions such as quarantined file archiving, event correlation, vulnerability assessments, traffic analysis, and archiving of email, Web access, instant messaging and file transfer content.

The FortiGate unit sends log messages over UDP port 514 or OFTP (TCP 514). If a secure connection has been configured, log traffic is sent over UDP port 500/4500, Protocol IP/50.

For FortiAnalyzer traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a FortiAnalyzer unit to be on port 3 with an IP of 192.168.21.12, the commands are:

config log fortiguard setting set status enable

set source-ip 192.168.21.12 end

 

Sending logs using a secure connection

From the FortiGate unit, you can configure the connection and sending of log messages over an SSL tunnel to ensure log messages are sent securely. To do this, use the CLI commands below to enable the encrypted connection and define the level of encryption.

You must configure the secure tunnel on both ends of the tunnel, the FortiGate unit and the FortiAnalyzer unit.

 

To configure a secure connection to the FortiAnalyzer unit

On the FortiAnalyzer unit, enter the commands:

config log device edit <device_name>

set secure psk

set psk <name_of_IPsec_tunnel>

set id <fortigate_device_name_on_the_fortianalyzer>

end

 

To configure a secure connection on the FortiGate unit

On the FortiGate CLI, enter the commands:

config log fortianalyzer setting set status enable

set server <ip_address>

set localid <name_of_IPsec_tunnel>

end

 

Configuring an SSL connection

An SSL connection can be configured between the two devices, and an encryption level selected. Use the CLI commands to configure the encryption connection:

config log fortianalyzer setting

set status enable

set enc-algorithm {default* | high | low | disable}

end

 

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for high, medium, and low follows openssl definitions:

  • High – Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

 

Algorithms are: DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3- MD5:DHE-RSA-AES128-SHA:AES128-SHA

  • Medium – Key strengths of 128 bit encryption. Algorithms are: RC4-SHA:RC4-MD5:RC4-MD
  • Low – Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites

Algorithms are: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.

If you want to use an IPsec tunnel to connect to the FortiAnalyzer unit, you need to first disable the enc-algorithm:

config log fortianalyzer setting set status enable

set enc-algorithm disable

 

Then set the IPsec encryption:

set encrypt enable

set psksecret <preshared_IPsec_tunnel_key>

end

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “Monitoring

    1. Mike Post author

      When you say real time monitoring are you asking specifically about the ability to tell when it is up and down?

      Reply
  1. Sha

    HI Mike,

    I am new to FortiGate, using Fortigate 100F. Do you help me out why always web GUi is not accessible even ssh and ping is working. So in this case i have to connect via ssh and run command ‘fnsysctl killall httpsd’ then able to access web GUI. It happens regularly. If i check the system memory it gives output :
    80 % used memory .
    diag hard sysinfo memory
    MemTotal: 3702968 kB
    MemFree: 503248 kB
    Buffers: 87356 kB
    Cached: 2003884 kB

    I found somewhere : In case used memory is more than 75%, this may indicate that a further check may be required. The unit is either getting overloaded or there is a memory leak in some process/kernel or there is a lot of cached memory.

    It seems almost 2 GB of cache memory. How do we flush this cache without any system downtime.
    Where we can see this issue root cause.

    Thanks and highly appreciated for your blog.
    Sha

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.