Traffic logging

Traffic logging

When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance.

Depending on what the FortiGate unit has in the way of resources, there may be advantages in optimizing the amount of logging taking places. This is why in each policy you are given 3 options for the logging:

  • Disable Log Allowed Traffic – Does not record any log messages about traffic accepted by this policy.

If you enable Log Allowed Traffic, the following two options are available:

  • Security Events – This records only log messages relating to security events caused by traffic accepted by this policy. l All Sessions – This records all log messages relating to all of the traffic accepted by this policy.

Depending on the model, if the Log all Sessions option is selected there may be 2 additional options. These options are normally available in the GUI on the higher end models such as the FortiGate 600C or larger.

  • Generate Logs when Session Starts l Capture Packets

You can also use the CLI to enter the following command to write a log message when a session starts:

config firewall policy edit <policy-index> set logtraffic-start end

Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message.

2011-04-13 05:23:47 log_id=4 type=traffic subtype=other pri=notice vd=root status=”start” src=”10.41.101.20″ srcname=”10.41.101.20″ src_port=58115 dst=”172.20.120.100″ dstname=”172.20.120.100″ dst_country=”N/A” dst_port=137 tran_ip=”N/A” tran_port=0 tran_sip=”10.31.101.41″ tran_sport=58115 service=”137/udp” proto=17 app_type=”N/A” duration=0 rule=1 policyid=1 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 src_int=”internal” dst_int=”wan1″ SN=97404 app=”N/A” app_cat=”N/A” carrier_ep=”N/A”

If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.

 

This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.