Handbook

Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual domains
Chapter 3: Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Chapter 4: Server Load Balancing
- Server load balancing basics
- Server load balancing configuration overview
- Configuring virtual servers
- Using content rewriting rules
- HSTS and HPKP support
- Configuring content routes
- Using source pools
- Using schedule pools
- Using clone pools
- Configuring Application profiles
- WebSocket load-balancing
- Configuring MSSQL profiles
- Configuring MySQL profiles
- Configuring client SSL profiles
- Configuring HTTP2 profiles
- Configuring load-balancing (LB) methods
- Configuring persistence rules
- Configuring error pages
- Configuring decompression rules
- Configuring Captcha
- Creating a PageSpeed configuration
- Creating PageSpeed profiles
- PageSpeed support and restrictions
- Configuring compression rules
- Compression and decompression
- Configuring caching rules
- Using real server pools
- Configuring real servers
- Configuring real server SSL profiles
- Using scripts
- Configuring an L2 exception list
- Creating a Web Filter Profile configuration
- Using the Web Category tab
- Configuring certificate caching
- TCP multiplexing
Chapter 5: Link Load Balancing
- Link load balancing basics
- Link load balancing configuration overview
- Configuring link policies
- Configuring a link group
- Configuring gateway links
- Configuring persistence rules
- Configuring proximity route settings
- Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
- Global load balancing basics
- Global load balancing configuration overview
- Configuring servers
- Configuring a global load balance link
- Configuring data centers
- Configuring hosts
- Configuring wizard
- Configuring virtual server pools
- Configuring location lists
- Logical Topology
- Configuring a Global DNS policy
- Configuring DNS zones
- Configuring general settings
- Configuring the trust anchor key
- Configuring DNS64
- Configuring the DSSET list
- Configuring an address group
- Configuring remote DNS servers
- Configuring the response rate limit
Chapter 7: Network Security
- Security features basics
- Managing IP Reputation policy settings
- Configure IP reputation exception
- Configure IP reputation block list
- Using the Geo IP block list
- Using the Geo IP whitelist
- Special Geo codes
- Enabling denial of service protection
- Configuring an IPv4 firewall policy
- Configuring an IPv6 firewall policy
- Configuring an IPv4 connection limit policy
- Configuring an IPv6 connection limit policy
- Anti-virus
- Configuring IPS
- Zero Trust Network Access (ZTNA)
Chapter 8: DoS Protection
- Configuring DoS Protection Profile
- Configuring HTTP access limit policy
- Configuring HTTP connection flood policy
- Configuring an HTTP request flood policy
- Configuring an IP fragmentation policy
- Configuring a TCP SYN flood protection policy
- Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
- Web application firewall basics
- Web application firewall configuration overview
- Configuring an OWASP TOP10 profile
- Configuring a WAF Profile
- Configuring WAF Action objects
- Configuring WAF Exception objects
- Configuring a Web Attack Signature policy
- Configuring a URL Protection policy
- Configuring an Advanced Protection policy
- Configuring an HTTP Protocol Constraint policy
- Configuring CSRF protection
- Configuring brute force attack detection
- Configuring an SQL/XSS Injection Detection policy
- Configuring a Bot Detection policy
- Configuring a Credential Stuffing Defense Policy
- Configuring a Cookie Security policy
- Configuring sensitive data protection
- Configuring Cross-Origin Resource Sharing (CORS) protection
- Configuring XML Detection
- Configuring JSON detection
- Importing XML schema
- Uploading WSDL files
- Importing JSON schema
- Configuring OpenAPI Detection
- Importing OpenAPI schema
- Configuring API Gateway
- Configuring Input Validation
- Web Vulnerability Scanner
  - WVS Profile
  - WVS Login
  - WVS Exceptions
  - Scan History
  - Scan Integration
- Web Anti-Defacement
Chapter 10: User Authentication
- Configuring AD FS Proxy
- Configuring authentication policies
- Configuring user groups
- Configuring customized authentication form
- Using the local authentication server
- Using an LDAP authentication server
- Using a RADIUS authentication server
- Configuring Duo authentication server support
- Configuring an NTLM authentication server
- Using Kerberos Authentication Relay
- Two-factor authentication
- OAuth 2.0 authentication
- Using HTTP Basic SSO
- SAML and SSO
  - Configure a SAML service provider
  - Import IDP Metadata
Chapter 11: Shared Resources
- Configuring health checks
- Configuring health check monitor
- Creating schedule groups
- Creating IP address objects
- Configuring address groups
- Creating IPv6 address objects
- Configuring address groups
- Managing the ISP address books
- Creating service objects
- Creating service groups
- Configuring WCCP
Chapter 12: Basic Networking
- Configuring network interfaces
- Configuring management interface
- Linking VDOMs for inter-VDOM routing
- Configuring static routes
- Configuring policy routes
Chapter 13: System Management
- Configuring basic system settings
- Configuring system time
- Configuring pre-login disclaimer messages
- Updating firmware
- Configuring an SMTP mail server
- Connecting to FortiGuard services
- Configuring FortiGuard service settings
- Pushing/pulling configurations
- Backing up and restoring the configuration
- SCP support for configuration backup
- Rebooting, resetting, and shutting down the system
- Create a traffic group
- Manage administrator users
  - Create administrator users
  - Create REST API administrator users
  - Configure access profiles
  - Enable password policies
- Configuring SNMP
  - Download SNMP MIBs
  - Configure SNMP threshold
  - Configure SNMP v1/v2
  - Configure SNMP v3
- Managing and validating certificates
  - Generating or importing a local certificate
  - Creating a local certificate group
  - Importing intermediate CAs
  - Creating an intermediate CA group
  - OCSP stapling
- Validating certificates
  - Importing CRLs
  - Adding OCSPs
  - Importing OCSP signing certificates
  - Importing CAs
  - Creating a CA group
- Configuring SNMP trap servers
- Configuring an email alert object
- Configuring a syslog object
- HSM Integration
Chapter 14: Logging and Reporting
- Downloading logs
- Using the security log
- Using the traffic log
- Using the script log
- Configuring local log settings
- Configuring syslog settings
- Configuring OFTP settings for FortiAnalyzer logs
- Configuring fast stats log settings
- Configuring report email
- Configuring reports
- Configuring report queries
- Configuring fast reports
- Display logs via CLI
Chapter 15: High Availability Deployments
- HA feature overview
- HA system requirements
- HA synchronization
- Configuring HA settings
- Monitoring an HA cluster
- Updating firmware for an HA cluster
- Deploying an active-passive cluster
- Deploying an active-active cluster
- Advantages of HA Active-Active-VRRP
- Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domains
- Virtual domain basics
- Enabling the virtual domain feature
- Creating a virtual domain
- Assigning network interfaces and admin users to VDOMs
- Virtual domain policies
- Disabling a virtual domain
Chapter 17: SSL Offloading
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
Chapter 18: Advanced Networking
- NAT
  - Configure source NAT
  - Configuring 1-to-1 NAT
- QoS
- OSPF
- ISP Routes
  - Reverse path route caching
- BGP
- Access list vs. prefix list
- Configuring an IPv4 access list
- Configuring an IPv6 access list
- Configuring an IPv4 prefix list
- Configuring an IPv6 prefix list
- Transparent mode
Chapter 19: Best Practices and Fine-tuning
- Regular backups
- Security
- Performance tips
- High availability
Chapter 20: Troubleshooting
- Logs
- Tools
- Save debug file
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Chapter 21: System Dashboard
- Widgets
- Dashboard management tools
Chapter 22: FortiView
- Physical Topology
- HA Status
- Server Load Balance
- Link Load Balance
  - Logical Topology
  - Link Group
- Global Load Balance
  - Logical Topology
  - Host
- Security
- All Segments
- ZTNA FortiClient endpoint
Chapter 23: Security Fabric
- Automation
- Fabric connectors
- External connectors
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
- Events and actions
- Predefined scripts
- Predefined Commands
- Control structures
- Operators
- String library
- Special characters
- Examples
Appendix D: Maximum Configuration Values
Change Log

Home FortiADC 7.0.2 Handbook

7.0.2

Using the traffic log

The Traffic Log table displays logs related to traffic served by the FortiADC deployment.

By default, the log is filtered to display Server Load Balancing - Layer 4 traffic logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

SLB Layer 4—Traffic served by Layer-4 virtual servers
SLB HTTP—Traffic served by virtual servers with HTTP profiles
SLB TCPS—Traffic served by virtual servers with TCPS profiles
SLB RADIUS—Traffic served by virtual servers with RADIUS profiles
GLB—Traffic served by global load balancing policies
SLB SIP—Traffic served by virtual servers with SIP profiles
SLB RDP—Traffic served by virtual servers with RDP profiles
SLB DNS —Traffic served by virtual servers with DNS profiles
SLB RTSP —Traffic served by virtual servers with RTSP profiles
SLB SMTP —Traffic served by virtual servers with SMTP profiles
SLB RTMP—Traffic served by virtual servers with RTMP profiles
SLB DIAMETER—Traffic served by Diameter profiles
SLB MySQL—Traffic served by MySQL profiles.
LLB — Traffic served by LLB profiles.

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

Date
Time
Proto
Service
Src
Src_port
Dst
Dst_port
Policy
Action

The last column in each table includes a link to log details.

Before you begin:

You must have Read-Write permission for Log & Report settings.

To view and filter the log:

Go to Log & Report > Log Access > Traffic Logs to display the traffic log.
Click Filter Settings to display the filter tools.
Use the tools to filter on key columns and values.
Click Apply to apply the filter and redisplay the log.

SLB Layer 4 and SLB TCPS logs to GLB log list the log columns in the order in which they appear in the log.

SLB Layer 4 and SLB TCPS logs
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_tcps	Log subtype: slb_layer4, slb_tcps.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=tcps	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For most logs, action=none.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

SLB HTTP logs
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_http	Log subtype: slb_http.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For most logs, action=none.
http_method	http_method=get	HTTP method.
http_host	http_host=10.61.2.100	Host IP address.
http_agent	http_agent=curl/7.29.0	HTTP agent.
http_url=	http_url=/ip.php	Base URL.
http_qry	http_qry=unknown	URL parameters after the base URL.
http_cookie	http_cookie=unknown	Cookie name.
http_retcode	http_retcode=200	HTTP return code.
user	user=user1	User name.
usergrp	usergrp=companyABC	User group.
auth_status	auth_status=success	Authentication success/failure.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

SLB RADIUS log
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_radius.	Log subtype: slb_radius.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=55	Session duration.
ibytes	ibytes=138	Bytes in.
obytes	obytes=303	Bytes out.
proto	proto=6	Protocol.
service	service=radius	Service.
src	src=31.1.1.103	Source IP address in traffic received by FortiADC.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=443	Destination port.
trans_src	trans_src=31.1.1.103	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=5534	Source port in packet sent from FortiADC.
trans_dst	trans_dst=21.1.1.101	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=443	Destination port in packet sent from FortiADC.
policy	policy=L7vs	Virtual server name.
action	action=none	For RADIUS, action=auth or acct.
user	user=user1	RADIUS accounting username.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

SLB RDP logs
Column	Example	Description
date	date=2016-03-18	Log date.
time	time=11:48:29	Log time.
log_id	log_id=107005800	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_rdp	Log subtype: slb_rdp.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=1321705	Message ID.
duration	duration=2	Session duration.
ibytes	ibytes=92	Bytes in.
obytes	obytes=400	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=192.168.1.1	Source IP address in traffic received by FortiADC.
src_port	src_port=37869	Source port.
dst	dst=192.168.1.142	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=8080	Destination port.
trans_src	trans_src=2.2.2.2	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=58661	Source port in packet sent from FortiADC.
trans_dst	trans_dst=2.2.2.10	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=80	Destination port in packet sent from FortiADC.
policy	policy=vs-l7	Virtual server name.
action	action=none	For most logs, action=none.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=r_22210	Real server configured name.

SLB SIP logs
Column	Example	Description
date	date=2016-01-29	Log date.
time	time=18:06:48	Log time.
log_id	log_id=0106001134	Log ID.
type	type=traffic	Log type.
subtype	subtype=slb_sip	Log subtype: slb_sip.
pri	pri=information	Log level.
vd	vd=root	Virtual domain.
msg_id	msg_id=154799	Message ID.
duration	duration=1	Session duration.
ibytes	ibytes=44346	Bytes in.
obytes	obytes=2.2.2.10	Bytes out.
proto	proto=6	Protocol.
service	service=http	Service.
src	src=N/A	Source IP address in traffic received by FortiADC.
src_port	src_port=43672	Source port.
dst	dst=192.168.1.142	Destination IP address in traffic received by FortiADC (IP address of the virtual server).
dst_port	dst_port=8080	Destination port.
trans_src	trans_src=2.2.2.2	Source IP address in packet sent from FortiADC. Address might have been translated.
trans_src_port	trans_src_port=80	Source port in packet sent from FortiADC.
trans_dst	trans_dst=N/A	Destination IP address in packet sent from FortiADC (IP address of the real server).
trans_dst_port	trans_dst_port=none	Destination port in packet sent from FortiADC.
policy	policy=invite	Virtual server name.
action	action=sip: bob@1.1.1.1 v2.0	Invite sent to.
sip_method	sip_method=from: alice@2.2.2.2	Invite sent from.
sip_uri	sip_uri=to: server@3.3.3.3	SIP server IP address.
sip_from	sip_from=callid:1111111	SIP call ID.
sip_to	sip_to=200
sip_callid	sip_callid=Reserved	Reserved.
sip_retcode	sip_retcode=Reserved	Reserved.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.
real_server	real_server=2_2_2_10	Real server configured name.

GLB log
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0102007810	Log ID.
type	type=traffic	Log type.
subtype	subtype=dns	Log subtype: dns.
pri	pri=information	Log severity.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
proto	proto=6	Protocol.
src	src=31.1.1.103	Source IP address.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address.
dst_port	dst_port=443	Destination port.
policy	policy=policy	Global load balancing policy name.
action	action=none	For most logs, action=none.
fqdn	fqdn=pool.ntp.org	FQDN from client request.
resip	resip=4.53.160.75	DNS response IP address.
srccountry	srccountry=Reserved	Location of the source IP address.
dstcountry	dstcountry=Reserved	Location of the destination IP address.

LLB log
Column	Example	Description
date	date=2014-12-01	Log date.
time	time=07:50:36	Log time.
log_id	log_id=0114000000	Log ID.
type	type=traffic	Log type.
subtype	subtype=llb	Log subtype: llb
pri	pri=information	Log severity.
vd	vd=root	Virtual domain.
msg_id	msg_id=522030	Message ID.
duration	duration=120	Session duration
ibytes	ibytes=1131	Bytes in
obytes	obytes=492	Bytes out
proto	proto=6	Protocol.
src	src=31.1.1.103	Source IP address.
src_port	src_port=5534	Source port.
dst	dst=21.1.1.101	Destination IP address.
dst_port	dst_port=443	Destination port.
policy	policy=Link_Policy	Link Policy.
action	action=vtunnel	Group Type (Link Group or Virtual Tunnel) in Link Group
srrcountry	srrcountry=Japan	Location of the source IP address
dstcountry	dstcountry=France	location of the destination IP address
gateway	gateway=none	Gateway in Link Group