FortiWAN – Log

Leave a reply

Log

This topic deals with how to configure logging and how to forward logs. Log records keep FortiWAN data and are capable of storing a wide variety of data concerning System, Firewall, Routing, and bandwidth management, etc. Log files can be forwarded to other servers for archiving or for notifying events via emails (see “Log Control” and “Log Notification”).

Additionally, FortiWAN offers a powerful reporting and analysis tool: Reports. The web-based analysis software that is embedded in FortiWAN or running on an independent machine enables administrators to gain insights into network traffic without manually filtering through large volumes of log data (See “Enable Reports”).

FortiWAN Traffic Statistics for Tunnel Routing and IPSec

Leave a reply

Traffic Statistics for Tunnel Routing and IPSec

Compare with general IP transmission, traffic transferred through FortiWAN’s Tunnel Routing or IPSec is charged extra on GRE/ESP encapsulation and decapsulation (See “Tunnel Routing” and “IPSec VPN”). In order to individually allocate bandwidth to applications encapsulated in GRE and ESP packets, Tunnel Routing and IPSEC are designed to be transparent to Bandwidth Management (See “Bandwidth Management”). Bandwidth Management shapes the traffic before packet encapsulation or after packet decapsulation. FortiWAN’s traffic statistics is associated with the operation of Bandwidth Management, which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function. FortiWAN gives the traffic statistics in three ways: BM log, statistics on Web UI and FortiWAN Reports. Traffic statistics for Tunnel Routing and IPSec in the three ways are discussed as follows.

Traffic Statistics for Tunnel Routing and IPSec

BM logs

A BM log is actually a traffic statistics (inbound-pkts, inbound-bytes, outbound-pkts, outbound-bytes, total-pkts and total-bytes) in a time period for a traffic (source IP, destination IP, source port and destination port) that matches the Bandwidth Management filter (See Log format in “Log View”). Bandwidth Management treats the traffic equally no matter whether it is later transferred through Tunnel Routing and IPSec. The BM log tells nothing directly (through the source port and destination port fields) that a transmission is actually done by Tunnel Routing, IPSec or normal IP routing. You might be aware of a Tunnel Routing and IPSec transmission through the source IP and destination IP in the logs, if you those IP addresses are already predefined just for the Tunnel Routing and IPSec transmission. The only situation that you see the GRE or ESP indicated by source port and destination fields in a BM log is when the traffic comes from other VPN devices.

Statistics on Web UI

Pages Statistics > Traffic and Statistics > BM(See “Statistics > Traffic” and “Statistics > BM”) the traffic statistics by WAN links and defined Bandwidth Management classes, which tells nothing directly about Tunnel Routing and IPSec traffic. The way to identify the traffic that is transferred through Tunnel Routing or IPSec is to create a BM class and BM filter to classify the traffic by the source IP and destination IP that are defined in Tunnel Routing’s routing rules or IPSec’s Quick Mode selectors.

Page Statistics > Tunnel Traffic (See “Statistics > Tunnel Traffic”) is the only page reports the traffic statistics about Tunnel Routing. Although traffic statistics is reported by the defined Tunnel Routing groups, statistics of the individual application in the tunnel traffic is unavailable here.

Page Statistics > IPSec (See “Statistics > IPSec”) tells nothing about traffic statistics of IPSec, only IPSec connectivity states are reported here.

FortiWAN Reports

Different from BM logs, service of traffic that is transferred through Tunnel Routing is indicated as GRE in Reports (See “Reports > Bandwidth Usage > Services”). Individual service type of the original packets encapsulated by Tunnel Routing becomes invisible in Reports. The GRE traffic passing through FortiWAN from other VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports > Bandwidth Usage > Services, which might be confusing. Drilling it down by Internal IP, Inclass or Outclass could figure it out. As for traffic transferred through IPSec, Reports counts the traffic by individual application (the original packets before/after be ESP encapsulated/decapsulated) rather than counting it into service ESP. FortiWAN IPSec is transparent to Reports statistics.

Here are a summary of discussion above.

Traffic transferred through IPSec Tunnel mode

  Original traffic ESP encapsulated

traffic
BM Control O X
BM log O X
Reports O X

Traffic transferred through Tunnel Routing or IPSec Transport mode

Traffic Statistics for Tunnel Routing and IPSec

  Original traffic GRE encapsulated

traffic

 ESP encapsulated

traffic
BM Control O X X
BM log O X X
Reports X O X

We have a simple example to explain the difference between the statistics ways. Consider that user A generates

60MB FTP traffic and 80MB HTTP traffic and transfer them through normal IP routing, user B generates 40MB FTP traffic and 20MB HTTP traffic and transfer them through Tunnel Routing (through one tunnel group). All the traffic is controlled by Bandwidth Management, thus there will be four BM logs indicating:

  • user A (source IP) generates FTP traffic (source or destination port) in 60MB l user B (source IP) generates FTP traffic (source or destination port) in 40MB l user A (source IP) generates HTTP traffic (source or destination port) in 80MB l user B (source IP) generates HTTP traffic (source or destination port) in 20MB

From the BM logs, we have no idea which one is transferred through Tunnel Routing. The thing we know from the logs is 100MB FTP traffic and 100MB HTTP traffic passed through FortiWAN, and they are 200MB in total.

In page Statistics > Tunnel Traffic, we see 60MB tunnel traffic (parts of the 200MB) belongs to the tunnel group. However, it tells nothing about the statistics for the individual services (FTP and HTTP) in the tunnel traffic.

As for Reports > Service, statistics by service is displayed as follows: l FTP = 60MB l HTTP = 80MB l GRE = 60MB

  • Total = 200MB

All the tunnel traffic (FTP and HTTP generated by user B) is classified into GRE, and we have no idea about what the original services are in it. What we can do is drilling it down by Internal IP to identify the generator user B, or drilling it down by Inclass and Outclass to identify the individual service if the corresponding BM classes are welldefined.

Considering the IPSec transmission with the same example, user B generates the same traffic but transfer them through IPSec. We will have BM logs the same as what we discussed above, and have no idea which service is transferred through IPSec. In page Report > Service, the traffic is counted as follows: l FTP = 100MB l HTTP = 100MB l Total = 200MB

Drilling it down by Internal IP can identify the generators user A and user B, but it tells nothing about service ESP.

 

FortiWAN IPSec

Leave a reply

IPSec

IPSec Statistics reports the usages and states of your configured IPSec Security Associations (See “IPSec”). Go to Statistics > IPSec, a select bar and two statistics tables are displayed.

Selector

Select the combination of Mode and Phase 1 here, and then the statistics of related IPSec SAs are reported.

IPSec

Mode Select the mode, Tunnel mode or Transport mode, of the security associations that you ask for.
Phase 1 Name All the configured Phase 1 names of the mode you selected above are list in the drop-down menu. Select a Phase 1 name (ISAKMP SA) to display the statistics of the associated IPSec SAs (Phase 2).
Refresh Click to refresh the statistics page.

Statistics of the IPSec SAs associated to the ISAKMP SA you selected is displayed in two tables, Security Association Database and Security Policy Database.

Security Association Database

List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states.

Local IP The local IP address of the IPSec SA.
Remote IP The remote IP address of the IPSec SA.
Encryption The encryption algorithm that the IPSec SA employs.
Authentication The authentication algorithm that the IPSec SA employs.
Used time (s) The past time since the IPSec SA is established.
Life time (s) The time interval (in seconds) that the secret key of the IPSec SA is valid during. For the expiration of a key, IKE Phase 2 is performed automatically to establish a new IPSec SA (a new key is negotiated). The value here is equal to value of Keylife of the correspondent Phase 2 configuration.
Change time (s) The time point that system starts to establish a new IPSec SA for replacing the current IPSec SA which is going to expire. New IPSec SA will be prepared in advance so that it takes over the expired IPSec SA in time. This value is related to Life time and determined by system.
Status States of the IPSec SA:
l larval: an IKE Phase 2 is in progress to establish an IPSec SA
l mature: the IPSec SA is established and still within validity
l dying: the IPSec SA is about to expire, and another IKE Phase 2 is in progress for taking over
l dead: the connectivity between two endpoints communicating through the IPSec SA is down; the peer is unavailable.

Traffic Statistics for Tunnel Routing and IPSec

Security Policy Database

List information of Quick Mode selector of each IPSec SA and the related time stamps.

Name The unique name of the IPSec SA (the name configured to the Phase 2)
Source[port] For IPSec in Tunnel mode, this is the Source and Source Port of the Quick Mode selector of the IPSec SA (the Source and Port configured to the Phase 2).

For IPSec in Transport mode, this is the source IP address of the

Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1).

Port information will not be list for this case.
Destination[port] For IPSec in Tunnel mode, this is the Destination and Destination Port of the Quick Mode selector of the IPSec SA (the Destination and Port configured to the Phase 2).

For IPSec in Transport mode, this is the destination IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Remote IP of the IPSec SA (the Remote IP configured to the Phase 1). Port information will not be list for this case.
Protocol For IPSec in Tunnel mode, this is the Protocol of the Quick Mode selector of the IPSec SA (the Protocol configured to the Phase 2).

For IPSec in Transport mode, this is always “gre”.
Created time The time that the IPSec SA is established.
Last used time The time that the IPSec SA is applied last to a data packet.

For the details of parameters of IPSec, see “IPSec VPN in the Web UI”.

FortiWAN Tunnel Traffic

Leave a reply

Tunnel Traffic

It collects inbound/outbound traffic statistics regarding tunnel routing in the past 60 minutes, 24 hours, and 30 days. Statistics are displayed on chart.

Traffic Type : Traffic flow direction.
Time : Collect statistics in the past 60 minutes, 24 hours, and 30 days.
Tunnel Routing Group : Select a group from the list. Depending on N tunnels the group gets, N statistical charts will show.

FortiWAN Tunnel Status

Leave a reply

Tunnel Status

Tunnel Status displays the connectivity of every single GRE tunnel of each tunnel group defined in Service >

Tunnel Routing (see Tunnel Routing) and statistics of the corresponding data transmission

Tunnel Group The drop-down menu lists all the tunnel groups defined in Service > Tunnel Routing. Select the tunnel group for monitoring it. The statistics of the specified tunnel group will be displayed in the Tunnel Health Status table below.
Automatic Refresh Enable automatic refresh by selecting the time interval (Every 3, 6, 9, 15, … Seconds) for refreshing the statistics, or disable it by selecting Disabled. The statistics here will be automatically refreshed periodically if it is enabled.

Tunnel Health Status

This table displays the connectivity and statistics of specified tunnel group in the following four fields.

Tunnel The GRE tunnel defined in the specified tunnel group, represented by the pair of its local and remote IP addresses.
3-Second Statistics Statistics of data transmission through this tunnel in the past 3 seconds, represented by RX Packets, RX Kbps, TX Packets and TX Kbps.
1-Minute Statistics Statistics of data transmission through this tunnel in the past 1 minute, represented by RX Packets, RX Kbps, TX Packets and TX Kbps.

Tunnel Traffic

Status Indicating the connectivity of the tunnel with color schemes:

Green indicates the tunnel is available (OK).

Red indicates the tunnel is unavailable (failed).

Moreover, round trip time (RTT) between the two endpoints of the tunnel is provided here for reference. The RTT will become blank if the tunnel is failed. You can also get the RTT of the tunnel by running Tunnel Routing’s benchmark (see Tunnel Routing – Benchmark).

Default Rule Subnets

This table lists the subnets (in the local and remote sites) that the default rules of the specified tunnel group consist of. See How to set up routing rules for Tunnel Routing for the details of default rule of a tunnel group.

Local Subnets The local subnets (subnets in the local site) of the default routing rules of the specified tunnel group. It will be blank if there is no default rule enabled.
Opposite Subnets The opposite subnets (subnets in the remote site) of the default routing rules of the specified tunnel group. It will be blank if there is no default rule enabled.

The default rule subnets listed here and corresponding page on remote Web UI are supposed to be equal for a tunnel group, just the position is switched. Local subnets here are the opposite subnets for the remote site, and the opposite subnets here are the local subnets for the remote site.

FortiWAN FQDN

Leave a reply

FQDN

The IPv4 and IPv6 addresses of the FQDNs that connected via FortiWAN are shown in this page.

IPv4 FQDN

FQDN : The FQDN connected via FortiWAN.
IPv4 Address

IPv6 FQDN

 : IPv4 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.
FQDN : The FQDN connected via FortiWAN.
IPv6 Address : IPv6 addresses of the FQDN connected via FortiWAN. It maintains 20 addresses at most.

FortiWAN Virtual Server Status

Leave a reply

Virtual Server Status

It displays status and statistics regarding virtual server defined in Service/Virtual Server.

Automatic Refresh : Enable it and choose time interval for refreshing.
Virtual Server Status : Green = OK; Red= Failed.
WAN IP : Displays WAN IPs defined in the rules on Service/Virtual Server page.
Service : Displays services defined in the rules on Service/Virtual Server page. These services are those available for virtual servers.
Server IP : Displays server IPs defined in the rules on Service/Virtual Server page. The server IPs denote those in real network usage.
Detect : Displays detection method, TCP or ICMP.
Status : Displays detection result.

 

Connection Limit

Leave a reply

Connection Limit

It enables administrators to inspect the number of established connections in real-time and to justify the maximum number of connections allowed on [Service] -> [Connection Limit] page, to avoid network congestion.

Automatic Refresh : Select auto-refresh interval, or disable the function.
No. : Numbering of IP addresses based on the number of connections established.
IP : Shows the source IP of the connection.
Connections : Shows the number of connections that are established by the source IP address and still active in system. An connection in system might be a connection with traffic flow existing or a idle connection. This number varies from connections closing to newly opened connections.
Clear : System maintains necessary tables and information for connections. Clicking the button to abort the connections established by the source IP address, and release the occupied memory then. When system is under attacks with high volumes of malicious connections, FortiWAN’s Connection Limit (See “Connection Limit”) stops subsequent connections established by the malicious IP addresses, but it takes time to recover system from the bandwidth and memory occupied by those malicious connections that are already in system. The Clear button terminates them immediately.