Advanced logging – FortiOS 6

2 Replies

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

  1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.

execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20

lines (view-lines 20) that will display.

  1. Enter the following to view the log messages:

execute log display

The following appears below execute log display:

600 logs found

20 logs returned along with the 20 DLP log messages.

Configuring NAC Quarantine logging

NAC Quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC Quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

To configure NAC quarantine logging

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.
  3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.
  4. Select OK.

Logging local-in policies

  1. Log in to the CLI.
  2. Enter the following to enable NAC Quarantine in the DLP sensor:

config antivirus profile edit <profile_name> config nac-quar log enable

end

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global set gui-local-in-policy enable

end

The Local-In Policy page will then be available in Policy & Objects > Local In Policy. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity Traffic Direction Description
FortiGuard update annoucements IN All push announcements of updates that are coming from the FortiGuard system. For example, IPS or AV updates.
FortiGuard update requests OUT All updates that are checking for antivirus or IPS as well as other FortiGuard service updates.
Firewall authentication IN The authentication made using either the web-based manager or CLI.
Central management (a FortiGate unit being managed by a

FortiManager unit)

 IN The access that a FortiManager has managing the FortiGate unit.
DNS IN All DNS traffic.
DHCP/DHCP

Relay

 IN All DHCP and/or DHCP Relay traffic.

Logging local-in policies

Traffic activity Traffic Direction Description
HA (heart beat sync policy) IN/OUT For high-end platforms with a backplane heart beat port.
HA (Session sync

policy)

 IN/OUT This will get information from the CMDB and updated by session sync daemon.
CAPWAP IN This activity is logged only when a HAVE_CAPWAP is defined.
Radius IN This is recorded only within FortiCarrier.
NETBIOS forward IN Any interface that NETBIOS forward is enabled on.
RIP IN  
OSPF IN  
VRRP IN  
BFD IN  
IGMP IN This is recorded only when PIM is enabled.
PIM IN This is recorded only when PIM is enabled.
BGP IN This is recorded only when config bgp and bgp neightbor is enabled in the CLI.
WCCP policy IN Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.
WAN Opt/ Web

Cache

 IN Any interface where WAN Opt is enabled.
WANOpt Tunnel IN This is recorded when HAVE_WANOPT is defined.
SSL-VPN IN Any interface from a zone where the action in the policy is SSL VPN.
IPSEC IN  
L2TP IN  
PPTP IN  
VPD IN This is recorded only when FortiClient is enabled.
Web cache db

test facility

 IN This is recorded only when WA_CS_REMOTE_TEST is defined.
GDBserver IN This is recorded only when debug is enabled.

Tracking specific search phrases in reports

Pages: 1 2 3 4 5
This entry was posted in Administration Guides, Fortinet, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “Advanced logging – FortiOS 6

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.