Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

How to choose a log device for your network topology

Leave a reply

How to choose a log device for your network topology

When planning the log requirements, you must also consider your network’s topology and whether archiving is required, such as if there is a legal requirement to keep a historical record of network activity. The following explains what steps to take when choosing a log device for your specific network topology.

1. What is the scope of your network topology?

If it is a SOHO/SMB network, then logging to the FortiGate unit’s local hard disk or the default FortiCloud service would be efficient. If the network topology is a large enterprise, you will need FortiAnalyzer units, a FortiCloud contract, Syslog servers, or any combination.

2. Is archiving required?

If the network activity that is being logged needs to be archived, then, depending on your network topology, you would choose a FortiAnalyzer unit. FortiAnalyzer units store archives in the same way that FortiGate units do, but are able to store large amounts of logs and archives.

3. When troubleshooting, you may want to log a larger amount of traffic; how much storage space will you need?

Logs can be configured to roll, which is similar to zipping a file; this will lower the space requirements needed to contain them. You can also download logs from the FortiGate unit and save them on a server or on a computer to view and access later, to prevent them from piling up and being overwritten. If you’re regularly logging large amounts of traffic, you should consider a FortiAnalyzer or FortiCloud account .

4. Should I invest in a log device that can grow as my network grows?

All networks grow, so investing in a device that can grow with your network and that can be expanded is a good investment. For example, if you currently have a SOHO/SMB topology, but see growth already starting, a FortiAnalyzer unit would be best. A FortiAnalyzer unit provides ample storage space, and you can add two more FortiAnalyzer units to access additional storage and create a redundancy log backup solution.

Log files and types

Leave a reply

Log files and types

As the log messages are being recorded, log messages are also being put into different log files. The log file contains the log messages that belong to that log type, for example, traffic log messages are put in the traffic log file.

When downloading the log file from within Log & Report, the file name indicates the log type and the device on which it is stored, as well as the date, time, and a unique id for that log.

This name is in the format <logtype> – <logdevice> – <date> T <time> . <id>.log. For example, AntiVirusLog-disk-2012-09-13T11_07_57.922495.log.

Below, each of the different log files are explained. Traffic and Event logs come in multiple types, but all contain the base type such as ‘Event’ in the filename.

 

Log Types based on network traffic

Log Type                                  Description

Traffic                                         The traffic logs records all traffic to and through the FortiGate interface. Dif- ferent categories monitor different kinds of traffic, whether it be forward, local, or sniffer.

Event

The event logs record management and activity events within the device in particular areas: System, Router, VPN, User, Endpoint, HA, WAN Opt./Cache, and WiFi. For example, when an administrator logs in or logs out of the web-based manager, it is logged both in System and in User events.

Antivirus                                    The antivirus log records virus incidents in Web, FTP, and email traffic.

Web Filter                                  The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs.

Application Control                  The application log records application usage, monitoring or blocking as configured in the security profiles.

Intrusion                                    The intrusion log records attacks that are detected and prevented by the FortiGate unit.

Email Filter                                The email filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.

Vulnerability Scan                    The Vulnerability Scan (Netscan) log records vulnerabilities found during the scanning of the network.

Data Leak Prevention               The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a com- pany does not want entering their network.

VoIP                                            The VoIP log records VoIP traffic and messages. It only appears if VoIP is enabled on the Administrator Settings page.

 

Log database and datasets

The log database, also known as the SQL log database, is used to store logs on FortiGate units that have a built- in hard disk. The log database uses Structured Query Lanaguage (SQL), specifically it uses SQLite which is an embedded Relational Database Management System (RDBMS).

If you have disabled SQL logging and have factory defaults on the FortiGate unit, and then you upgrade the firmware, the upgrade will automatically disable SQL logging. When this occurs, you must re-enable SQL logging manually.

The FortiGate unit creates a database table for each log type, when log data is recorded. If the FortiGate unit is not recording log data, it does not create log tables for that device.

The command syntax, get report database schema, allows you to view all the tables, column names and types that are available to use when creating SQL statements for datasets.

If you want to view the size of the database, as well as the log database table entries, use the get log sql status command. This command displays the amount of free space that is available as well as the first and last log database entry time and date.

The output of the get log sql status command contains information similar to the following:

 

Database size: 294912

Free size in database: 0

Database Page Size: 8192

Entry number: Event: 49

Traffic: 370

Attack: 2

AntiVirus: 4

WebFilter: 254

AntiSpam: 2

Netscan: 18

Total: 699

First entry time: 2012-09-10 11:41:02

Last entry time: 2012-09-13 02:59:59

The log database is not only used to store logs, but also used to extract the information for reports. Reports are built from datasets, which are SQL statements that tell the FortiGate unit how to extract the information from the database. You can create your own datasets; however, SQL knowledge is required. Default datasets are

available for reports.

 

Notifications about network activity

Alert email messages provide notification about activities or events logged. These email messages also provide notification about log severities that are recorded, such as a critical or emergency.

You can send alert email messages to up to three email addresses. Alert messages are also logged and can be viewed from the Event Log menu, in the System Event log file.

You can use the alert email feature to monitor logs for log messages, and to send email notification about a specific activity or event logged. For example, if you require notification about administrators logging in and out, you can configure an alert email that is sent whenever an administrator logs in and out. You can also base alert email messages on the severity levels of the logs. The FortiGate unit does not currently support SSL/TLS connections for SMTP servers, so you must choose an SMTP server that does not need SSL/TLS when configuring the SMTP server settings.

Before configuring alert email, you must configure at least one DNS server if you are configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server. You can also specify an IP address.

The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the FortiGate unit combines the mes- sages and sends out one alert email.

 

How to configure email notifications

The following explains how to configure an alert email notification for IPsec tunnel errors, firewall authentication failure, configuration changes and FortiGuard license expiry.

1. In System > Config > Advanced, under Email Service, configure the SMTP server.

The SMTP server settings allow the FortiGate unit to know exactly where the email will be sent from, as well as who to send it to. The SMTP server must be a server that does not support SSL/TLS connections; if the SMTP server does, the alert email configuration will not work. The FortiGate unit does not currently support SSL/TLS connections for SMTP servers.

2. In Log & Report > Log Config > Alert E-mail, enter the source email in the Email From field, and up to three target addresses in the Email To fields.

3. Below the email entry, you can configure the email responses. By default, the Send alert email for the following is enabled. Select the check boxes beside IPsec tunnel errors, Configuration changes and Firewall authentication failure.

These alerts will be sent to the email address specified when the trigger occurs. For example, a user attempts to connect to the branch office of the company but cannot; the FortiGate unit detects an IPsec tunnel error, records the event, and then sends the notice to the email address specified in the SMTP server settings.

4. Select FortiGuard license expiry time: and then enter 10 so that the email notification will be sent ten days prior to the FortiGuard license expiration.

You can choose up to 100 days prior to when the license will expire. The default time is 15 days. By using this alert email notification, you can easily know when to send an re-registration request long before the expiry

Log messages

Leave a reply

Log messages

Log messages are recorded by the FortiGate unit, giving you detailed information about the network activity. Each log message has a unique number that helps identify it, as well as containing fields; these fields, often called log fields, organize the information so that it can be easily extracted for reports.

These log fields are organized in such a way that they form two groups: the first group, made up of the log fields that come first, is called the log header. The log header contains general information, such as the unique log identification and date and time that indicates when the activity was recorded. The log body is the second group, and contains all the other information about the activity. There are no two log message bodies that are alike, however, there may be fields common to most log bodies, such as the srcintf or identidix log fields.

The log header also contains information about the log priority level which is indicated in the level field. The priority level indicates the immediacy and the possible repercussions of the logged action. For example, if the field contains ‘alert’, you need to take immediate action with regards to what occurred. There are six log priority levels.

The log severity level is the level at and above which the FortiGate unit records logs. The log severity level is defined by you when configuring the logging location. The FortiGate unit will log all messages at and above the priority level you select. For example, if you select Error, the unit will log only Error, Critical, Alert, and Emergency level messages.

 

Log priority levels

Levels                     Description

0 – Emergency         The system has become unstable.

1 – Alert                    Immediate action is required.

2 – Critical                Functionality is affected.

3 – Error                    An error condition exists and functionality could be affected.

4 – Warning              Functionality could be affected.

5 – Notification        Information about normal events.

6 – Information        General information about system operations.

 

The Debug priority level, not shown above, is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.

Example log header fields

Log header

date=(20100803)                      The year, month and day of when the event occurred in yyyy-mm-dd format.

Log header

time=(12:55:06)                          The hour, minute and second of when the event occurred in the format hh:mm:ss.

log_id=(2457752353)                 A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.

type=(dlp)                                   The section of system where the event occurred.

subtype=(dlp)                            The subtype category of the log message.

level=(notice)                             The priority level of the event. See the table above.

vd=(root)                                    The name of the virtual domain where the action/event occurred in. If no vir- tual domains exist, this field always contains root.

 

Example log body fields

Log body

policyid=(1)                                The ID number of the firewall policy that applies to the session or packet.

Any policy that is automatically added by the FortiGate will have an index number of zero.

identidx=(0)

The identity-based policy identification number. This field displays zero if the firewall policy does not use an identity-based policy; otherwise, it dis- plays the number of the identity-based policy entry that the traffic matched. This number is not globally unique, it is only locally unique within a given firewall policy.

sessionid=(311)                         The serial number of the firewall session of which the event happened.

srcip=(10.10.10.1)                      The source IP address.

srcport=(1190)                           The source port number.

srcintf=(internal)                       The source interface name.

dstip=(192.168.1.122)                The destination IP address.

dstport=(80)                               The destination port number.

dstintf=(wan1)                            The destination interface name.

service=(https)                          The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.

status=(detected)                      The action the FortiGate unit took.

 

Log body

hostname=(example.com)        The home page of the web site.

url=(/image/trees_pine_

forest/)

msg=(data leak detected (Data Leak Prevention Rule matched)

The URL address of the web page that the user was viewing.

Explains the FortiGate activity that was recorded. In this example, the data leak that was detected matched the rule, All-HTTP, in the DLP sensor.

rulename=(AllHTTP)                The name of the DLP rule within the DLP sensor.

action=(logonly)

The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no action type is specified, this field dis- play log-only.

severity=(1)                                The level of severity for that specific rule.

Logs from other devices, such as the FortiAnalyzer unit and Syslog server, contain a slightly different log header. For example, when viewing FortiGate log messages on the FortiAnalyzer unit, the log header contains the following log fields when viewed in the Raw format:

itime=1302788921 date=20110401 time=09:04:23 devname=FG50BH3G09601792 device_

id=FG50BH3G09601792 log_id=0100022901 type=event subtype=system level=notice vd=root The log body contains the rest of the information of the log message, and this information is unique to the log message itself.

For detailed information on all log messages, see the FortiGate Log Message Reference.

 

Explanation of a debug log message

Debug log messages are only generated if the log severity level is set to Debug. The Debug severity level is the lowest log severity level and is rarely used. This severity level usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated by all types of FortiGate features.

The following is an example of a debug log message:

date=2010-01-25 time=17:25:54 logid=9300000000 type=webfilter subtype=urlfilter level=debug msg=“found in cache”

 

Example of a Debug log message

Debug log

date=(20100125)                      The year, month and day of when the event occurred in the format yyyy- mm-dd.

time=(17:25:54)                          The hour, minute and second of when the event occurred in the format hh:mm:ss.

 

Debug log

logid=(93000000000)                 A ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.

type=(webfilter)                         The section of system where the event occurred. There are eleven log types in FortiOS 4.0.

subtype=(urlfilter)                     The subtype of the log message. This represents a policy applied to the

FortiGate feature in the firewall policy.

level=(debug)                            The priority level of the event. There are six priority levels to specify.

msg=(found in cache”)           Explains the activity or event that the FortiGate unit recorded.

 

Viewing log messages and archives

Depending on the log device, you may be able to view logs within the web-based manager or CLI on the FortiGate unit. If you have configured a FortiAnalyzer unit, local hard disk, or system memory, you can view log messages from within the web-based manager or CLI. If you have configured either a Syslog or WebTrends server, you will not be able to view log messages from the web-based manager or CLI. There is also no support for viewing log messages stored on a FortiCloud server, from the FortiGate unit’s web-based manager or CLI.

You do not have to view log messages from only the web-based manager. You can view log messages from the CLI as well, using the execute log display command. This command allows you to see specific log messages that you already configured within the execute log filter command. The execute log filter command configures what log messages you will see, how many log messages you can view at one time (a maximum of 1000 lines of log messages), and the type of log messages you can view. For more information about viewing log messages in the CLI, see “Viewing logs from the CLI”.

There are two log viewing options in FortiOS: Format and Raw. The Raw format displays logs as they appear within the log file. You can view log messages in the Raw format using the CLI or a text editor, such as Notepad. Format is in a more human-readable format, and you can easily filter information when viewing log messages this way. The Format view is what you see when viewing logs in the web-based manager.

When you download the log messages from within the log message page (for example, Log & Report > Traffic Log > Forward Traffic), you are downloading log messages in the Raw format.

 

Viewing log messages in detail

From any log page, you can view detailed information about the log message in the log viewer table, located (by default) at the bottom of the page. Each page contains this log viewer table. The Log Viewer Table can contain the Archive tab, which allows you to see the archived version of the log message. The Archive tab only displays the archived log’s details if archiving is enabled and logs are being archived by the FortiGate unit, but archived logs will also be recorded when using a FortiAnalyzer unit or the FortiCloud service.

When you are viewing traffic log messages, some of the categories (such as ‘Application Name’) have entries that can be selected to open a dialog box containing FortiGuard information about the entry. From within the dialog box, you can select the Reference link and go directly to the corresponding FortiGuard page, which contains additional information.

Viewing logs in Raw format allows you to view all log fields at once, as well as have a log file available regardless of whether you are archiving logs or not. You download the log file by selecting Download Raw Log. The log file is named in the following format: <log_type><log_location><log_date/time>.<log_number>.log. For example, SystemEventLog-disk-2012-09-19T12_13_46.933949.log, which is an event log. The time period is the day and month of when the log was downloaded, not the time period of the log messages within the file itself.

 

Quarantine

Within the Log & Report menu, you can view detailed information about each quarantined file. The information can either be sorted or filtered, depending on what you want to view.

You must enable quarantine settings within an antivirus profile and the destination must be configured in the CLI using the config antivirus quarantine command. The destination can be either a FortiAnalyzer unit or local disk.

Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.

On Log & Report > Security Log > Quarantine, the file quarantine list displays the following information about each quarantined file.

 

Quarantine page

Lists all files that are considered quarantined by the unit. On this page you can filter information so that only specific files are displayed on the page.

 

GUI Item                                   Description

Source                                        Either FortiAnalyzer or Local Disk, depending where you configure to quarantined files to be stored.

Sort by                                        Sort the list. Choose from: Status, Service, File Name, Date, TTL, or

Duplicate Count. Select Apply to complete the sort.

Filter                                           Filter the list. Choose either Status (infected, blocked, or heuristics) or Ser– vice (IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is con- figurable through the CLI only.

If your unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the Security Features chapter of the FortiOS Handbook.

Apply                                          Select to apply the sorting and filtering selections to the list of quarantined files.

Delete                                         Select to delete the selected files.

Page Controls                           Use the controls to page through the list.

GUI Item                                   Description

Remove All Entries                   Removes all quarantined files from the local hard disk.

This icon only appears when the files are quarantined to the hard disk.

 

File Name

The file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quar- antined file. The file is stored on the FortiGate hard disk with the following naming convention:

<32bit_CRC>.<processed_filename>

For example, a file named Over Size.exe is stored as 3fc155d2.over- size.exe.

Date                                            The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.

Service

The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).

Status                                         The reason the file was quarantined: infected, heuristics, or blocked.

Status Description                    Specific information related to the status, for example, “File is infected with

“W32/Klez.h”” or “File was stopped by file block pattern.”

DC                                               Duplicate count. A count of how many duplicates of the same file were quar- antined. A rapidly increasing number can indicate a virus outbreak.

TTL

Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL.

The TTL information is not available if the files are quarantined on a FortiAnalyzer unit.

Upload status                            Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.

This option is available only if the FortiGate unit has a local hard disk.

Download

Select to download the corresponding file in its original format.

This option is available only if the FortiGate unit has a local hard disk.

Submit                                        Select to upload a suspicious file to Fortinet for analysis.

This option is available only if the FortiGate unit has a local hard disk.

 

 

Customizing the display of log messages on the web-based manager

Customizing log messages on the web-based manager allows you to remove or add columns from the page and filter the information that appears. For example, you can view only log messages that appeared on December 4, between the hours of 8:00 and 8:30 am.

1. Select the submenu in Log & Report in which you want to customize the display of log messages, such as Lo& Report > Traffic Log > Forward Traffic.

2. Right click on the title bar at the top of any column, and uncheck a column title such as Date/Time to remove it from the interface. Check other columns to add them to the interface. When you are finished, click outside the menu and the page will refresh with the new column settings in place.

3. Choose a column you’d like to filter, and select the funnel icon next to the title of the column. For example, select the funnel in the Src (Source) column. In the text field, enter the source IP address 1.1.1.1 and then select the check box beside NOT.

This filters out the all log messages that have the 1.1.1.1 source IP address in the source IP log field, such as the ones generated when running log tests in the CLI.

4. Select OK to save the customize settings, and then view the log messages on the page.

Log messages that originate from the 1.1.1.1 source address will no longer appear in the list.

 

How to download log messages and view them from on a computer

After recording some activity, you can download log messages to view them from a computer. This is can be very useful when in a remote location, or if you want to view log messages at your convenience, or to view packet logs or traffic logs.

1. In Log & Report, select the submenu that you want to download log messages from.

For example, Log & Report > Traffic Log> Forward Traffic.

2. Select the Download Raw Log option and save the log file to your computer.

The log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

3. Open a text editor such as Notepad, open the log file, and then scroll to view all the log messages.

You can easily search or scroll through the logs to see the information that is available.

FortiOS features available for logging

2 Replies

FortiOS features available for logging

Logs record FortiGate activity, providing detailed information about what is happening on your network. This recorded activity is found in log files, which are stored on a log device. However, logging FortiGate activity requires configuring certain settings so that the FortiGate unit can record the activity. These settings are often referred to as log settings, and are found in most security profiles, but also in Log & Report > Log Config > Log Settings.

Log settings provide the information that the FortiGate unit needs so that it knows what activities to record. This topic explains what activity each log file records, as well as additional information about the log file, which will help you determine what FortiGate activity the FortiGate unit should record.

 

Traffic

Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.

Logging traffic works in the following way:

  • firewall policy has logging enabled on it (Log Allowed Traffic)
  • packet comes into an inbound interface
  • a possible log packet is sent regarding a match in the firewall policy, such as a URL filter
  • traffic log packet is sent, per firewall policy
  • packet passes and is sent out an interface

 

Traffic log messages are stored in the traffic log file. Traffic logs can be stored any log device, even system memory.

All security profile-related logs are now tracked within the Traffic logs, as of FortiOS 5.0, so all forward traffic can be searched in one place, such as if you are looking to see all activity from a particular address, security feature or traffic. Security profile logs are still tracked separately in the Security Log section, which only appears when logs exist.

If you have enabled and configured WAN Optimization, you can enable logging of this activity in the CLI using the config wanopt setting command. These logs contain information about WAN Optimization activity and are found in the traffic log file. When configuring logging of this activity, you must also enable logging within the security policy itself, so that the activity is properly recorded.

 

Sniffer

The Sniffer log records all traffic that passes through a particular interface that has been configured to act as a One-Armed Sniffer, so it can be examined separately from the rest of the Traffic logs.

 

Other Traffic

The traffic log also records interface traffic logging, which is referred to as Other Traffic. Other Traffic is enabled only in the CLI. When enabled, the FortiGate unit records traffic activity on interfaces as well as firewall policies. Logging Other Traffic puts a significant system load on the FortiGate unit and should be used only when necessary.

Logging other traffic works in the following way:

  • firewall policy has logging enabled on it (Log Allowed Traffic) and other-traffic
  • packet comes into an interface
  • interface log packet is sent to the traffic log that is enabled on that particular interface
  • possible log packet is sent regarding a match in the firewall policy, such as URL filter
  • interface log packet is sent to the traffic log if enabled on that particular interface
  • packet passes and is sent out an interface
  • interface log packet is sent to traffic (if enabled) on that particular interface

 

Event

The event log records administration management as well as FortiGate system activity, such as when a configuration has changed, admin login, or high availability (HA) events occur. Event logs are an important log file to record because they record FortiGate system activity, which provides valuable information about how your FortiGate unit is performing.

 

Event logs help you in the following ways:

  • keeping track of configuration setting changes
  • IPsec negotiation, SSL VPN and tunnel activity
  • quarantine events, such as banned users
  • system performance
  • HA events and alerts
  • firewall authentication events
  • wireless events on models with WiFi capabilities
  • activities concerning modem and internet protocols L2TP, PPP and PPPoE
  • VIP activities
  • AMC disk’s bypass mode
  • VoIP activities that include SIP and SCCP protocols.

The FortiGate unit records event logs only when events are enabled.

 

Traffic Shaping

Traffic shaping, per-IP traffic shaping and reverse direction traffic shaping settings can be applied to a firewall policy, appearing within the traffic log messages.

By enabling this feature, you can see what traffic shaping, per-IP traffic shaping and reverse direction traffic shaping settings are being used.

 

Data Leak Prevention

Data Leak Prevention logs, or DLP logs, provide valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network. The DLP rules within a DLP sensor can log the following traffic types:

  • email (SMTP, POP3 or IMAP; if SSL content SMTPS, POP3S, and IMAPS)
  • HTTP
  • HTTPS
  • FTP
  • NNTP
  • IM

A DLP sensor must have log settings enabled for each DLP rule and compound rule, as well as applied to a firewall policy so that the FortiGate unit records this type of activity. A DLP sensor can also contain archiving options, which these logs are then archived to the log device.

 

NAC Quarantine

Within the DLP sensor, there is an option for enabling NAC Quarantine. The NAC Quarantine option allows the FortiGate unit to record details of DLP operation that involve the ban and quarantine actions, and sends these to the event log file. The NAC Quarantine option must also be enabled within the Event Log settings. When enabling NAC quarantine within a DLP Sensor, you must enable this in the CLI because it is a CLI-only command.

 

Media Access Control (MAC) Address

MAC address logs provide information about MAC addresses that the FortiGate unit sees on the network as well as those removed from the network. These log messages are stored in the event log (as subtype network; you can view these log messages in Log & Report > Event Log) and are, by default, disabled in the CLI. You can enable logging MAC addresses using the following command syntax:

config log setting

set neighbor-event enable end

When enabled, a new log message is recorded every time a MAC address entry is added to the ARP table, and also when a MAC address is removed as well. A MAC address log message is also recorded when MAC addresses are connected to the local switch, or from a FortiAP or FortiSwitch unit.

 

Application control

Application control logs provide detailed information about the traffic that internet applications such as Skype are generating. The application control feature controls the flow of traffic from a specific application, and the FortiGate unit examines this traffic for signatures that the application generates.

The log messages that are recorded provide information such as the type of application being used (such as P2P software), and what type of action the FortiGate unit took. These log messages can also help you to determine the top ten applications that are being used on your network. This feature is called application control monitoring and you can view the information from a widget on the Executive Summary page.

The application control list that is used must have logging enabled within the list, as well as logging enabled within each application entry. Each application entry can also have packet logging enabled. Packet logging for application control records the packet when an application type is identified, similar to IPS packet logging.

Logging of application control activity can only be recorded when an application control list is applied to a firewall policy, regardless of whether or not logging is enabled within the application control list.

 

Antivirus

Antivirus logs are recorded when, during the antivirus scanning process, the FortiGate unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature. Antivirus logs provide a way to understand what viruses are trying to get in, as well as additional information about the virus itself, without having to go to the FortiGuard Center and do a search for the detected virus. The link is provided within the log message itself.

 

These logs provide valuable information such as:

  • the name of the detected virus
  • the name of the oversized file or infected file
  • the action the FortiGate unit took, for example, a file was blocked
  • URL link to the FortiGuard Center which gives detailed information about the virus itself

The antivirus profile must have log settings enabled within it so that the FortiGate unit can record this activity, as well as having the antivirus profile applied to a firewall policy.

 

Web Filter

Web filter logs record HTTP traffic activity. These log messages provide valuable and detailed information about this particular traffic activity on your network. Web filtering activity is important to log because it can inform you about:

  • what types of web sites employees are accessing
  • users attempting to access banned web sites and how often this occurs
  • network congestion due to employees accessing the Internet at the same time
  • web-based threats resulting from users visiting non-business-related web sites

Web Filter logs are an effective tool to help you determine if you need to update your web filtering settings within a web filter profile due to unforeseen threats or network congestion. These logs also inform you about web filtering quotas that have been configured for filtering HTTP traffic.

You must configure logging settings within the web filter profile and apply the filter to a firewall policy so that the FortiGate unit can record the activity.

 

IPS (attack)

 

IPS logs, also referred to as attack logs, record attacks that occurred against your network. Attack logs contain detailed information about whether the FortiGate unit protected the network using anomaly-based defense settings or signature-based defense settings, as well as what the attack was.

The IPS or attack log file is especially useful because the log messages that are recorded contain a link to the FortiGuard Center, where you can find more information about the attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as well that informs you of the virus that was detected by the FortiGate unit.

An IPS sensor with log settings enabled must be applied to a firewall policy so that the FortiGate unit can record the activity.

 

Packet logs

When you enable packet logging within an IPS signature override or filter, the FortiGate unit examines network packets, and if a match is found, saves them to the attack log. Packet logging is designed to be used as a diagnostic tool that can focus on a narrow scope of diagnostics, rather than a log that informs you of what is occurring on your network.

You should use caution when enabling packet logging, especially within IPS filters. Filter configuration that contains thousands of signatures could potentially cause a flood of saved packets, which would take up a lot of storage space on the log device. It would also take a great deal of time to sort through all the log messages, as well as consume considerable system resources to process.

You can archive packets, but you must enable this option on the Log Settings page. If your log configuration includes multiple FortiAnalyzer units, packet logs are only sent to the primary (first) FortiAnalyzer unit. Sending packet logs to the other FortiAnalyzer units is not supported.

 

Email filter

Email filter logs, also referred to as spam filter logs, records information regarding the content within email messages. For example, within an email filter profile, a match is found that finds the email message to be considered spam.

Email filter logs are recorded when the FortiGate unit finds a match within the email filter profile and logging settings are enabled within the profile.

 

Archives (DLP)

Recording DLP logs for network use is called DLP archiving. The DLP engine examines email, FTP, IM, NNTP, and web traffic. Archived logs are usually saved for historical use and can be accessed at any time. IPS packet logs can also be archived, within the Log Settings page.

You can start with the two default DLP sensors that have been configured specifically for archiving log data, Content_Archive and Content_Summary. They are available in Security Profiles > Data Leak Prevention. Content_Archive provides full content archiving, while Content_Summary provides summary archiving. For more information about how to configure DLP sensors, see the Security Features chapter of the FortiOS Handbook.

You must enable the archiving to record log archives. Logs are not archived unless enabled, regardless of whether or not the DLP sensor for archiving is applied to the firewall policy.

 

Network scan

Network scan logs are recorded when a scheduled scan of the network occurs. These log messages provide detailed information about the network’s vulnerabilities regarding software, as well as the discovery of any further vulnerabilities.

A scheduled scan must be configured and logging enabled within the Event Log settings, for the FortiGate unit to record these log messages.

Chapter 18 – Logging and Reporting

Leave a reply

Chapter 18 – Logging and Reporting

This FortiOS Handbook chapter contains the following sections:

Logging and reporting overview provides general information about logging. We recommend that you begin with this chapter as it contains information for both beginners and advanced users as well. It contains an explanation of log messages, files, and devices, and an overview of the Reporting functions.

Logging and reporting for small networks provides an overview of setting up a small network for logging, with a look at a possible setup with a backup solution and a customized report.

Logging and reporting for large networks provides an overview of setting up a larger, enterprise-level network, with configuration of multiple FortiGate units, multiple FortiAnalyzer units as a backup solution, and a sample procedure for creating a more intensive and broad report to suit the larger network.

Advanced logging provides a series of separate tutorials for possible tasks and procedures an advanced user may want to undertake with their FortiGate-powered network. It contains explanations of advanced backup, logging, and report solutions.

Troubleshooting and logging provides a short overview of how log messages can be used to identify and solve problems within the network, how to identify and solve logging database issues, and how to solve connection issues between FortiGate and FortiAnalyzer units.

 

Logging and reporting overview

Logging and reporting in FortiOS can help you in determining what is happening on your network, as well as informing you of certain network activity, such as detection ofa virus or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information as well as helping to show others the activity that is happening on the network.

This section explains logging and reporting features that are available in FortiOS, and how they can be used to help you manage or troubleshoot issues. This includes how the FortiGate unit records logs, what a log message is, and what the log database is.

 

What is logging?

Logging records the traffic passing through the FortiGate unit to your network and what action the FortiGate unit took during its scanning process of the traffic. This recorded information is called a log message.

After a log message is recorded, it is stored within a log file which is then stored on a log device. A log device is a central storage location for log messages. The FortiGate unit supports several log devices, such as FortiAnalyzer units, the FortiCloud service, and Syslog servers. A FortiGate unit’s system memory and local disk can also be configured to store logs, and because of this, are also considered log devices.

You must subscribe to FortiCloud before you will be able to configure the FortiGate unit to send logs to a FortiCloud server.

When the recorded activity needs to be read in a more human way, the FortiGate unit can generate a Report. A report gathers all the log information that is needed for the report, and presents it in a graphical format, with customizable design and automatically generated charts. Reports can be used to present a graphical representation of what is going on in the network. Reports can also be generated on a FortiAnalyzer unit; if you want to generate reports on a FortiAnalyzer, see the FortiAnalyzer Setup and Administration Guide to help you create and generate those reports.

 

How the FortiGate unit records log messages

The FortiGate unit records log messages in a specific order, storing them on a log device. The order of how the FortiGate unit records log messages is as follows:

1. Incoming traffic is scanned.

2. During the scanning process, the FortiGate unit performs necessary actions, and simultaneously records the actions and results.

3. Log messages are sent to the log device.

 

Example: How the FortiGate unit records a DLP event

1. The FortiGate unit receives incoming traffic and scans for any matches associated within its firewall policies containing a DLP sensor.

2. A match is found; the DLP sensor, dlp_sensor, had a rule within it called All-HTTP with the action Exempt applied to the rule. The sensor also has Enable Logging selected, which indicates to the FortiGate unit that the activity should be recorded and placed in the DLP log file.

3. The FortiGate unit exempts the match, and places the recorded activity (the log message) within the DLP log file.

4. According to the log settings that were configured, logs are stored on the FortiGate unit’s local hard drive. The FortiGate unit places the DLP log file on the local hard drive.

Example Basic IP load balancing configuration

Leave a reply

Example Basic IP load balancing configuration

This example shows how to add a server load balancing virtual IP that load balances all traffic among 3 real servers. In the example the Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. The load balancing method is weighted. The IP addresses of the real servers are 10.10.10.1, 10.10.10.2, and 10.10.10.3. The weights for the real servers are 1, 2, and 3. The default weight is 1 and does not have to be changed for the first real server.

config firewall vip

edit All_Load_Balance

set type server-load-balance set server-type ip

set extintf port2

set extip 192.168.20.20 set ldb-method weighted config realservers

edit 1

set ip 10.10.10.1 next

edit 2

set ip 10.10.10.2 set weight 2

next edit 3

set ip 10.10.10.3 set weight 3

end

end

 

Example Adding a server load balance port forwarding virtual IP

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method.

Each real server accepts HTTP connections on a different port number. The first real server accepts connections on port 8080, the second on port 8081, and the third on 8082. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

 

.10. Z1

2

 

Virtua

192.1 l

68.3
rtu
Z
1 M1

0.2

 

Vi

9

Server load balance virtual IP port forwarding

To complete this configuration, all of the steps would be the same as in Example HTTP load balancing to three real web servers on page 1937 except for configuring the real servers.

 

To add the real servers and associate them with the virtual server

Use the following steps to configure the FortiGate unit to port forward HTTP packets to the three real servers on ports 8080, 8081, and 8082.

1. Go to Policy & Objects > Real Servers.

2. Select Create New.

3. Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network and have a different port number.

Configuration for the first real server.

Virtual Server                             Load_Bal_VS1

IP                                                 10.10.10.42

Port                                             8080

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Configuration for the second real server.

Virtual Server                             Load_Bal_VS1

IP                                                 10.10.10.43

Port                                             8081

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Configuration for the third real server.

Virtual Server                             Load_Bal_VS1

IP                                                 10.10.10.44

Port                                             8082

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

Example Weighted load balancing configuration

This example shows how to using firewall load balancing to load balances all traffic among 3 real servers. In the example the Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. The load balancing method is weighted. The IP addresses of the real servers are 10.10.10.1, 10.10.10.2, and 10.10.10.3. The weights for the real servers are 1, 2, and 3.

This configuration does not include a health check monitor.

 

Webbased manager configuration

Use the following procedures to configure this load balancing setup from the web-based manager.

 

To add the HTTP virtual server

1. Go to Policy & Objects > Virtual Servers.

2. Select Create New.

3. Add an IP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate port2 interface is connected to the Internet.

Name                                           HTTP_weghted_LB

Type                                            IP

Interface                                     port2

Virtual Server IP                        192.168.20.20

Load Balance Method              Weighted

All other virtual server settings are not required or cannot be changed.

4. Select OK.

 

To add the real servers and associate them with the virtual server

1. Go to Policy & Objects > Real Servers.

2. Select Create New.

3. Configure three real servers that include the virtual server All_Load _Balance. Because the Load Balancing Method is Weighted, each real server includes a weight. Servers with a greater weight receive a greater proportion of forwarded connections, Configuration for the first real server.

Virtual Server                             HTTP_weghted_LB

IP Address                                 10.10.10.1

Port                                             Cannot be configured because the virtual server is an IP server.

Weight                                        1

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the second real server.

Virtual Server                             HTTP_weghted_LB

IP Address                                 10.10.10.2

Port                                             Cannot be configured because the virtual server is an IP server.

Weight                                        2

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the third real server.

Virtual Server                             HTTP_weghted_LB

IP Address                                 10.10.10.3

Port                                             Cannot be configured because the virtual server is an IP server.

Weight                                        3

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

 

To add the virtual server to a security policy

Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Configure the security policy:

Policy Type                                Firewall

Policy Subtype                          Address

Incoming Interface                   port2

Source Address                        all (or a more specific address)

Outgoing Interface                   port1

Destination Address                 HTTP_weghted_LB

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

Enable NAT                                Select this option and select Use Destination Interface Address.

4. Select other security policy options as required.

5. Select OK.

 

CLI configuration

Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance. The default weight is 1 and does not have to be changed for the first real server. Use the following command to add the virtual server and the three weighted real servers.

config firewall vip

edit HTTP_weghted_LB

set type server-load-balance set server-type ip

set extintf port2

set extip 192.168.20.20 set ldb-method weighted config realservers

edit 1

set ip 10.10.10.1 next

edit 2

set ip 10.10.10.2 set weight 2

next edit 3

set ip 10.10.10.3 set weight 3

end

end

 

Example HTTP and HTTPS persistence configuration

This example shows how to add a virtual server named HTTP_Load_Balance that load balances HTTP traffic using port 80 and a second virtual server named HTTPS_Load_Balance that load balances HTTPS traffic using port 443. The Internet is connected to port2 and the virtual IP address of the virtual server is 192.168.20.20. Both server load balancing virtual IPs load balance sessions to the same three real servers with IP addresses 10.10.10.2, 10.10.10.2, and 10.10.10.3. The real servers provide HTTP and HTTPS services. For both virtual servers, persistence is set to HTTP Cookie to enable HTTP cookie persistence.

 

To add the HTTP and HTTPS virtual servers

1. Go to Policy & Objects > Virtual Servers.

2. Add the HTTP virtual server that includes HTTP Cookie persistence.

Name                                           HTTP_Load_Balance

Type                                            HTTP

Interface                                     port2

Virtual Server IP                        192.168.20.20

Virtual Server Port                    80

In this example the virtual server uses port 8080 for HTTP sessions instead of port 80.

Load Balance Method              Static

Persistence                                HTTP cookie

3. Select OK.

4. Select Create New.

5. Add the HTTPs virtual server that also includes HTTP Cookie persistence.

 

  Name HTTPS_Load_Balance
Type HTTPS
Interface port2
Virtual Server IP 192.168.20.20
Virtual Server Port 443
Load Balance Method Static
Persistence HTTP cookie
 

6.

  

Select OK.

  

 

To add the real servers and associate them with the virtual servers

1. Go to Policy & Objects > Real Servers.

2. Select Create New.

3. Configure three real servers for HTTP that include the virtual server HTTP_Load_Balance.

Configuration for the first HTTP real server.

Virtual Server                             HTTP_Load_Balance

IP Address                                 10.10.10.1

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

Configuration for the second HTTP real server.

Virtual Server                             HTTP_Load_Balance

IP Address                                 10.10.10.2

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

Configuration for the third HTTP real server.

Virtual Server                             HTTP_Load_Balance

IP Address                                 10.10.10.3

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

4. Configure three real servers for HTTPS that include the virtual server HTTPS_Load_Balance.

 

Configuration for the first HTTPS real server.

Virtual Server                             HTTP_Load_Balance

IP Address                                 10.10.10.1

Port                                             443

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

Configuration for the second HTTPS real server.

Virtual Server                             HTTP_Load_Balance

IP Address                                 10.10.10.2

Port                                             443

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

Configuration for the third HTTPS real server.

Virtual Server                             HTTPS_Load_Balance

IP Address                                 10.10.10.3

Port                                             443

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

 

To add the virtual servers to security policies

Add a port2 to port1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Configure the HTTP security policy:

Policy Type                                Firewall

Policy Subtype                          Address

Incoming Interface                   port2

Source Address                        all

Outgoing Interface                   port1

Destination Address                 HTTP_Load_Balance

Schedule                                    always

Service                                       HTTP

Action                                         ACCEPT

Enable NAT                                Select this option and select Use Destination Interface Address.

4. Select other security policy options as required.

5. Select OK.

6. Select Create New.

7. Configure the HTTP security policy:

Policy Type                                Firewall

Policy Subtype                          Address

Incoming Interface                   port2

Source Address                        all

Outgoing Interface                   port1

Destination Address                 HTTPS_Load_Balance

Schedule                                    always

Service                                       HTTPS

Action                                         ACCEPT

Enable NAT                                Select this option and select Use Destination Interface Address.

8. Select other security policy options as required.

9. Select OK.

 

CLI configuration: adding persistence for a specific domain

Load balancing is configured from the CLI using the config firewall vip command and by setting type to server-load-balance.

For the CLI configuration, both virtual servers include setting http-cookie-domain to .example.org

because HTTP cookie persistence is just required for the example.org domain. First, the configuration for the HTTP virtual IP:

config firewall vip

edit HTTP_Load_Balance

set type server-load-balance set server-type http

set extport 8080 set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org config realservers

edit 1

set ip 10.10.10.1 next

edit 2

set ip 10.10.10.2 next

edit 3

set ip 10.10.10.3 end

end

Second, the configuration for the HTTPS virtual IP. In this configuration you don’t have to set extport to 443 because extport is automatically set to 443 when server-type is set to https.

config firewall vip

edit HTTPS_Load_Balance

set type server-load-balance set server-type https

set extport 443 set extintf port2

set extip 192.168.20.20

set persistence http-cookie

set http-cookie-domain .example.org config realservers

edit 1

set ip 10.10.10.1 next

edit 2

set ip 10.10.10.2 next

edit 3

set ip 10.10.10.3 end

end

Load balancing configuration examples

4 Replies

Load balancing configuration examples

Example HTTP load balancing to three real web servers

In this example, a virtual web server with IP address 192.168.37.4 on the Internet, is mapped to three real web servers connected to the FortiGate unit dmz1 interface. The real servers have IP addresses 10.10.123.42, 10.10.123.43, and 10.10.123.44. The virtual server uses the First Alive load balancing method. The configuration also includes an HTTP health check monitor that includes a URL used by the FortiGate unit for get requests to monitor the health of the real servers.

Connections to the virtual web server at IP address 192.168.37.4 from the Internet are translated and load balanced to the real servers by the FortiGate unit. First alive load balancing directs all sessions to the first real server. The computers on the Internet are unaware of this translation and load balancing and see a single virtual server at IP address 192.168.37.4 rather than the three real servers behind the FortiGate unit.

 

 

Webbased manager configuration

Use the following procedures to configure this load balancing setup from the web-based manager.

 

To add an HTTP health check monitor

In this example, the HTTP health check monitor includes the URL “/index.html” and the Matched Phrase “Fortinet products”.

1. Go to Policy & Objects > Health Check.

2. Select Create New.

3. Add an HTTP health check monitor that sends get requests to http://<real_server_IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.

 

  Name HTTP_health_chk_1
Type HTTP
Port 80
URL /index.html
Matched Content Fortinet products
Interval 10 seconds
Timeout 2 seconds
Retry 3
 

4.

  

Select OK.

  

 

To add the HTTP virtual server

1. Go to Policy & Objects > Virtual Servers.

2. Select Create New.

3. Add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network.

In this example, the FortiGate wan1 interface is connected to the Internet.

Name                                           Load_Bal_VS1

Type                                            HTTP

Interface                                     wan1

Virtual Server IP                        192.168.37.4

The public IP address of the web server.

The virtual server IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address.

Virtual Server Port                    80

Load Balance Method              First Alive

Persistence                                HTTP cookie

HTTP Multiplexing                    Select.

The FortiGate unit multiplexes multiple client into a few connections between the FortiGate unit and each real HTTP server. This can improve performance by reducing server overhead associated with establishing mul- tiple connections.

 

Preserve Client IP                     Select

The FortiGate unit preserves the IP address of the client in the X-For- warded-For HTTP header.

 

Health Check                             Move the HTTP_health_chk_1 health check monitor to the Selected list.

4. Select OK.

 

To add the real servers and associate them with the virtual server

1. Go to Policy & Objects > Real Servers.

2. Select Create New.

3. Configure three real servers that include the virtual server Load_Bal_VS1. Each real server must include the IP address of a real server on the internal network. Configuration for the first real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.42

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the second real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.43

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

Configuration for the third real server.

Virtual Server                             Load_Bal_VS1

IP Address                                 10.10.10.44

Port                                             80

Weight                                        Cannot be configured because the virtual server does not include weighted load balancing.

Maximum Connections            0

Setting Maximum Connections to 0 means the FortiGate unit does not limit the number of connections to the real server. Since the virtual server uses First Alive load balancing you may want to limit the number of con- nections to each real server to limit the traffic received by each server. In this example, the Maximum Connections is initially set to 0 but can be adjusted later if the real servers are getting too much traffic.

 

To add the virtual server to a security policy

Add a wan1 to dmz1 security policy that uses the virtual server so that when users on the Internet attempt to connect to the web server’s IP address, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the virtual server IP address to the real server IP addresses.

1. Go to Policy & Objects > IPv4 Policy.

2. Select Create New.

3. Configure the security policy:

Policy Type                                Firewall

Policy Subtype                          Address

Incoming Interface                   wan1

Source Address                        all (or a more specific address)

Outgoing Interface                   dmz1

Destination Address                 Load_Bal_VS1

Schedule                                    always

Service                                       HTTP

Action                                         ACCEPT

Log Allowed Traffic                  Select to log virtual server traffic

Enable NAT                                Select this option and select Use Destination Interface Address.

4. Select other security policy options as required.

5. Select OK.

 

CLI configuration

Use the following procedure to configure this load balancing setup from the CLI.

 

To configure HTTP load balancing

1. Use the following command to add an HTTP health check monitor that sends get requests to http://<real_server_ IP_address>/index.html and searches the returned web page for the phrase “Fortinet products”.

config firewall ldb-monitor edit HTTP_health_chk_1

set type http set port 80

set http-get /index.html

set http-match “Fortinet products”

set interval 10 set timeout 2 set retry 3

end

2. Use the following command to add an HTTP virtual server that allows users on the Internet to connect to the real servers on the internal network. In this example, the FortiGate wan1 interface is connected to the Internet.

config firewall vip edit Load-Bal_VS1

set type server-load-balance set server-type http

set ldb-method first-alive set http-multiplex enable set http-ip-header enable set extip 192.168.37.4

set extintf wan1 set extport 80

set persistence http-cookie set monitor HTTP_health_chk_1

config realservers edit 1

set ip 10.10.10.42 set port 80

next edit 2

set ip 10.10.10.43 set port 80

next edit 3

set ip 10.10.10.44 set port 80

end

end

3. Use the following command to add a security policy that includes the load balance virtual server as the destination address.

config firewall policy edit 0

set srcintf wan1 set srcaddr all set dstintf dmz1

set dstaddr Load-Bal_VS1 set action accept

set schedule always set service ALL

set nat enable end

Configure other security policy settings as required.

IP, TCP, and UDP load balancing

Leave a reply

IP, TCP, and UDP load balancing

You can load balance all IP, TCP or UDP sessions accepted by the security policy that includes a load balancing virtual server with the type set to IP, TCP, or UDP. Traffic with destination IP and port that matches the virtual server IP and port is load balanced. For these protocol-level load balancing virtual servers you can select a load balance method and add real servers and health checking. However, you can’t configure persistence, HTTP multiplexing and SSL offloading.