Latest status update discussing some video quality upgrades we will be getting soon etc.
Latest status update discussing some video quality upgrades we will be getting soon etc.
A lot of people that have fairly strict policy sets end up having matchmaking issues with their gaming consoles when behind a FortiGate. I discuss two methods to resolving this issue. Videos are going to start discussing a lot more architecture driven topics to help ensure everyone is building the best network possible!
This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.
The following procedures are examples and can be used to help you when configuring your own network’s log topology.
Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.
The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.
When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.
config log memory setting set status enable
end
config log memory filter set forward-traffic enable set local-traffic enable set sniffer-traffic enable set anomaly enable set voip enable set multicast-traffic enable
set dns enable
end
You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.
config log disk setting set ips-archive disable set status enable set max-log-file-size 1000 set storage Internal set log-quota 100 set report-quota 100
end
config log eventfilter set event enable set system enable set vpn enable set user enable set router disable set wan-opt disable
end
After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.
diag log test
When you enter the command, the following appears:
generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning generating an IPS log message generating an anomaly log message generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice generating a wanopt traffic log message with level – notification generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages generating a Forticlient message with level – information generating a URL block message with level – warning
You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.
Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.
The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.
A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.
The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.
end
config log fortianalyzer filter set forward-traffic (enable | disable) … end
end
config log fortianalyzer2 filter set event (enable | disable) … end
end
config log fortianalyzer3 filter set voip (enable | disable) … end
The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.
Frustrating that for the second time in 60 days my Macbook Pro has died….oh well, here are some status updates.
This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.
The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.
The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.
When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.
config log memory setting set status enable
end
config log memory filter set forward-traffic enable set local-traffic enable set sniffer-traffic enable set anomaly enable set voip disable set multicast-traffic enable
set dns enable
end
When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.
config log disk setting set ips-archive disable set status enable set max-log-file-size 1000 set storage FLASH set log-quota 100 set report-quota 100
end
config log eventfilter set event enable set system enable set vpn disable set user enable set router disable set wan-opt disable
end
After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.
diag log test
When you enter the command, the following appears:
generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning generating an IPS log message generating an anomaly log message generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice generating a wanopt traffic log message with level – notification generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages generating a Forticlient message with level – information generating a URL block message with level – warning
You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.
A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.
The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.
With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.
The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.
config log fortianalyzer setting set upload-interval {daily | weekly | monthly} set upload-time <hh:mm>
end
You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.
For example, the current time is 11:10 am, so Change now has the time 11:10.
The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the FortiAnalyzer’s interface.
When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails. This plan should provide you with an outline, similar to the following:
l what FortiGate activities you want and/or need logged (for example, security features) l the logging device best suited for your network structure l if you want or require archiving of log files l ensuring logs are not lost in the event a failure occurs.
After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.
Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.
Reports provide a clear, concise overview of what is happening on your network based on log data, and can be customized to serve different purposes. There are three types of reports supported by the FortiGate: FortiOS Reports, FortiCloud Reports, and FortiAnalyzer Reports.
FortiOS Reports are generated and configured on the FortiGate unit itself, FortiCloud Reports are created and configured on the FortiCloud site and mirrored to the connected FortiGate for viewing, and FortiAnalyzer reports Best practices: Log management
are created and configured on a FortiAnalyzer unit. For more information about those reports, see the FortiAnalyzer Administration Guide.
In order to create FortiOS Reports on a device, disk logging must be enabled. Not all devices are capable of disk logging; check the Feature Matrix to see if your unit has a hard disk. Once disk logging has been enabled, Local Reports can then be enabled in System > Feature Visibility in order to view and edit reports.
What are FortiOS reports?
FortiOS reports are created from logs stored on the FortiGate unit’s hard drive. These reports, generated by the FortiGate unit itself, provide a central overview of traffic and security features on the FortiGate. A default FortiOS report, called the FortiGate Security Feature Daily Activity Report, is available for you to use or modify to your requirements. The default report compiles security feature activity from various security-related logs, such as virus and attack logs. You can quickly and easily create your own report from within the management interface.
On the Log & Report > Local Reports page, you can set the frequency and timing of auto-generated reports.
You can select Run Nowon the Local Reports page to immediately create a report with the current layout and design. More complex reports may take longer to generate. After generating a report, you can view it by selecting it from the list below Run Now.
Historical reports will be marked as ‘Scheduled’ if created automatically, or ‘On Demand’ if created by selecting
Run Now.
What are FortiCloud reports?
FortiCloud reports are created from logs stored on the FortiCloud log management service. An active FortiCloud
Service Subscription is required in order to view, configure, or use these reports. They are generated by
FortiCloud according to a schedule you set, and then mirrored to the FortiGate interface and can be viewed at Log & Report > FortiCloud Reports, which may not appear in the interface until a report is created. If you wish to configure the report design or structure, you will have to do so from the FortiCloud portal website.
See the FortiCloud Administration Guide for more information about using and configuring FortiCloud reports.
The FortiGate unit supports a variety of log devices, including the FortiCloud service and FortiAnalyzer units. This provides greater flexibility not only when choosing a log device, but also when your logging requirements need updating.
When you have developed a plan that meets your logging needs and requirements, you need to select the log device that is appropriate for that plan. A log device must be able to store all the logs you need, and if you require archiving those logs, you must consider what log devices support this option.
During this process of deciding what log device meets your needs and requirements, you must also figure out how to provide a backup solution in the event the log device that the FortiGate unit is sending logs to has become unavailable. A backup solution should be an important part of your log setup because it helps you to maintain all logs and prevents lost logs, or logs that are not sent to the log device. For example, a daily backup of log files to the FortiAnalyzer unit occurs at 5 pm.
Log devices provide a central location for storing logs recorded by the FortiGate unit. The following are log devices that the FortiGate unit supports:
l FortiGate system memory l Hard disk or AMC l SQL database (for FortiGate units that have a hard disk) l FortiAnalyzer unit l FortiCloud service l Syslog server
These log devices, except for the FortiGate system memory and local hard disk, can also be used as a backup solution. For example, you can configure logging to the FortiGate unit’s local disk, but also configure logging to a FortiCloud server and archive logs to both the FortiCloud server and a FortiAnalyzer unit.
The FortiGate unit’s system memory and hard disk can store all log types, including log archives and traffic logs. Traffic logs and log archives are larger files, and need a lot of room when being logged by the FortiGate unit.
When the system memory is full, the FortiGate unit overwrites the oldest messages, and all log messages stored in memory are cleared when the FortiGate unit restarts. By default, logging to memory is enabled. This means that most of the time you will only need to modify the default settings to your network logging requirements. Realtime logging occurs whenever memory logging is enabled, and is enabled by default. Real-time logging means that the activity is being recorded as it happens.
All FortiGate units 100D and larger are capable of disk logging, but it is disabled by default, as it is not recommended. For flash memory-based units, constant rewrites to flash drives can reduce the lifetime and efficiency of the memory. For hard-disk units, it can affect performance under heavy strain. Therefore, disk devices
logging must be manually enabled in the CLI under config log disk setting to appear in the interface at all.
Models without a hard disk are not recommended for disk logging. For all units, disk logging must be enabled in the CLI. For some low-end and older models, disk logging is unavailable. Check a product’s Feature Matrix for more information. In either case, Fortinet recommends using either a FortiAnalyzer unit or the FortiCloud service.
Local disk or memory logging is not required for you to configure logging to a FortiAnalyzer unit.
If you are registered with the FortiCloud service, your unit will log both locally and to the service by default. In order to configure the rate and time of uploads to the service, you must register a contract account for the FortiCloud service, which will also grant you additional space.
The FortiAnalyzer unit can log all FortiGate features, which includes log archives. You can also configure the FortiGate unit to upload logs to the FortiAnalyzer unit at a scheduled time.
Encryption of the logs is supported by default and logs are sent using SSL VPN. When the FortiAnalyzer and FortiGate units have SSL encryption, both must choose a setting for the enc-algorithm command (CLI) for encryption to take place. By default, this is enabled and the default setting is a SSL communication with high and medium encryption algorithms. The setting that you choose must be the same for both.
FortiGate units can support logging to multiple FortiAnalyzer units. This logging solution is a backup redundancy solution, since logs are sent to all three units and whenever one of the FortiAnalyzer units fails, the others still carry on storing logs.
If you are using evaluation software FortiGate and FortiAnalyzer-VM images, you will only be able to use lowlevel encryption.
The FortiGate unit can also connect to a FortiAnalyzer unit using Automatic Discovery. Automatic Discovery is a method of establishing a connection to a FortiAnalyzer unit by using the FortiGate unit to find a FortiAnalyzer unit on the network. The Fortinet Discovery Protocol (FDP) is used to located the FortiAnalyzer unit. Both the FortiGate and FortiAnalyzer units must be on the same subnet to use FDP, and they must also be able to connect using UDP.
When you enable automatic discovery in the CLI, the FortiGate unit uses HELLO packets to locate any
FortiAnalyzer units that are available on the network within the same subnet. When the FortiGate unit discovers a FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer unit and begins sending log data.
A Syslog server is a remote computer running syslog software. Syslog is a standard for forwarding log messages in an IP network, and can be used when considering a log backup solution for your network logging requirements. Logs that are generated in real-time are sent to the syslog server in real time with no queueing, so it can be an ideal solution for comprehensive logging, or collecting logs for later systematic analysis.
FortiGate units support the reliable syslog feature, which is based on RFC 3195. Reliable syslog logging uses TCP, which ensures that connections are set up, including that packets are transmitted.
There are several profiles available for reliable syslog, but only the RAW profile is currently supported on the FortiGate units. The RAW profile is designed to provide a high-performance, low-impact footprint using essentially the same format as the existing UDP-based syslog service. The reliable syslog feature is available on FortiGate units running FortiOS 4.0 MR1 and higher.
When enabling the reliable syslog (available only in the CLI), TCP is used. The feature is disabled by default, and when enabled, the FortiGate unit automatically changes the port number to TCP 601. This is based on RFC 3195. The default port for syslog is port 514.
If you are using the local hard disk on a device for WAN Optimization, it will not prevent you from logging to remote FortiAnalyzer devices or Syslog servers. Some models have two hard disks, allowing both local logging and Wan Opt.
If you have Virtual Domains configured, each VDOM may only be assigned one FortiAnalyzer device and one Syslog server, by overriding the global configuration. The root VDOM is not limited in this way.
When planning the log requirements, you must also consider your network’s topology and whether archiving is required, such as if there is a legal requirement to keep a historical record of network activity. The following explains what steps to take when choosing a log device for your specific network topology.
If it is a SOHO/SMB network, then logging to the FortiGate unit’s local hard disk or the default FortiCloud service would be efficient. If the network topology is a large enterprise, you will need FortiAnalyzer units, a FortiCloud contract, Syslog servers, or any combination.
If the network activity that is being logged needs to be archived, then, depending on your network topology, you would choose a FortiAnalyzer unit. FortiAnalyzer units store archives in the same way that FortiGate units do, but are able to store large amounts of logs and archives.
Logs can be configured to roll, which is similar to zipping a file; this will lower the space requirements needed to contain them. You can also download logs from the FortiGate unit and save them on a server or on a computer to view and access later, to prevent them from piling up and being overwritten. If you’re regularly logging large amounts of traffic, you should consider a FortiAnalyzer or FortiCloud account .
All networks grow, so investing in a device that can grow with your network and that can be expanded is a good investment. For example, if you currently have a SOHO/SMB topology, but see growth already starting, a FortiAnalyzer unit would be best. A FortiAnalyzer unit provides ample storage space, and you can add two more FortiAnalyzer units to access additional storage and create a redundancy log backup solution.
The following helps to explain how to create a log backup solution for a small network topology. This example has one FortiAnalyzer unit and a subscription to the FortiCloud Service.
By default, the FortiGate unit logs to either the system memory or hard drive, whichever is available on the FortiGate unit. Low-end FortiGate units may have logging disabled by default.
FortiAnalyzer unit.
You can only configure log settings for the FortiAnalyzer unit in the CLI. Configuring to upload logs to a FortiAnalyzer unit can be configured in both the CLI and web-based manager.
Reliable syslog verifies that logs are sent to the syslog server. When you enable this setting, the default port becomes port 601.