Fortinet black logo

Administration Guide

Appendix B - Log Integrity and Secure Log Transfer

Appendix B - Log Integrity and Secure Log Transfer

This section identifies the options for enabling log integrity and secure log transfer settings between FortiAnalyzer and FortiGate devices.

Log Integrity

FortiAnalyzer can create an MD5 checksum for each log file in order to secure logs from being modified after they have been sent to an analytics platform.

The log integrity setting selected determines the values recorded at the time of transmission or when rolling the log:

  • MD5: Record the log file's MD5 hash value only.
  • MD5-auth: Record the log file's MD5 hash value and authentication code.
  • None: Do not record the log file checksum (default).

Configuring log integrity settings

To configure FortiAnalyzer log integrity:
  1. In the FortiAnalyzer CLI, enter the following commands:

    configure system global

    set log-checksum {md5 | md5-auth | none}

    end

Verifying log-integrity

When log integrity settings are applied, you can view the MD5 checksum for logs in FortiAnalyzer event logs and the FortiAnalyzer CLI.

To view the log file's MD5 checksum in event logs:
  1. Go to FortiSoC > Event Monitor > All Events and select an event log.
  2. In the toolbar, select Display Raw to view the raw log details.
    The MD5 checksum is included in the details of the raw log.

    id=6906469110439837696 itime=2020-12-18 06:47:59 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0031040026 subtype=logfile type=event level=information time=06:47:59 date=2020-12-18 user=system action=roll msg=Rolled log file tlog.1608270213.log of device FGVM01TM20000000 [FGVM01TM20000000] vdom root, MD5 checksum: ad85f8e889a3436d75b22b4a33c492ec userfrom=system desc=Rolling disk log file devid=FAZVMSTM20000000 devname=FAZVMSTM20000000 dtime=2020-12-18 06:47:59 itime_t=1608270479

To query the log file's MD5 checksum in the CLI:
  1. Enter the following command in the FortiAnalyzer CLI:

    execute log-integrity <device_name> <vdom name> <log_name>

    For example:

    execute log-integrity FGVM01TM20000000 root tlog.1608279204.log.gz

    Integrity checking passed:

    MD5 checksum is [82598ec0086319db73bd0f9de2396047]

Secure Log Transfer

Optimized Fabric Transfer Protocol (OFTP) is a proprietary Fortinet protocol. It is used for connectivity, performing health checks, file transfers, and log display on FortiGate. OFTP listens on ports TCP514 and UDP514.

In the default configuration, there are two communication streams between FortiGate and FortiAnalyzer. OFTP communication is encrypted and log communication is not.

  • OFTP communication occurs on TCP514 using TLS.
  • Log communication occurs on UDP514 (default setting).

To secure log transfer, you can enable TCP and encryption. When enabled, logs are transferred securely between the FortiGate and FortiAnalyzer using TCP514 (TLS).


Configuring secure log transfer settings

To enable secure log transfer:
  1. In the FortiGate CLI, enter the following commands:

    configure log fortianalyzer setting

    set reliable enable

    end

Caution

Enabling secure log transfer over TCP will impact overall logging performance.

Note

OFTP SSL protocol supports SSLv3, TLSv1.0, TLSv1.2, and TLSv1.3 (default TLSv1.2).

Supported ciphers

The list of supported ciphers is determined when configuring enc_algorithm using the configure log fortianalyzer setting command in the FortiGate CLI.

The source code for supported ciphers is as follows:

  • [SSL_CIPHER_LEVEL_LOW] = "ALL:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_MEDIUM] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_HIGH] = "HIGH:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_DEFAULT] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_FIPS] = "AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:-DES:-RC4:-NULL:-MD5:-DSS:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_LOW + SSL_CIPHER_NOSKEY_OFFSET] = "ALL:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_MEDIUM + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_HIGH + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_DEFAULT + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_FIPS + SSL_CIPHER_NOSKEY_OFFSET] = "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:-DES:-RC4:-NULL:-MD5:-DSS:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,

Appendix B - Log Integrity and Secure Log Transfer

This section identifies the options for enabling log integrity and secure log transfer settings between FortiAnalyzer and FortiGate devices.

Log Integrity

FortiAnalyzer can create an MD5 checksum for each log file in order to secure logs from being modified after they have been sent to an analytics platform.

The log integrity setting selected determines the values recorded at the time of transmission or when rolling the log:

  • MD5: Record the log file's MD5 hash value only.
  • MD5-auth: Record the log file's MD5 hash value and authentication code.
  • None: Do not record the log file checksum (default).

Configuring log integrity settings

To configure FortiAnalyzer log integrity:
  1. In the FortiAnalyzer CLI, enter the following commands:

    configure system global

    set log-checksum {md5 | md5-auth | none}

    end

Verifying log-integrity

When log integrity settings are applied, you can view the MD5 checksum for logs in FortiAnalyzer event logs and the FortiAnalyzer CLI.

To view the log file's MD5 checksum in event logs:
  1. Go to FortiSoC > Event Monitor > All Events and select an event log.
  2. In the toolbar, select Display Raw to view the raw log details.
    The MD5 checksum is included in the details of the raw log.

    id=6906469110439837696 itime=2020-12-18 06:47:59 euid=1 epid=1 dsteuid=1 dstepid=1 log_id=0031040026 subtype=logfile type=event level=information time=06:47:59 date=2020-12-18 user=system action=roll msg=Rolled log file tlog.1608270213.log of device FGVM01TM20000000 [FGVM01TM20000000] vdom root, MD5 checksum: ad85f8e889a3436d75b22b4a33c492ec userfrom=system desc=Rolling disk log file devid=FAZVMSTM20000000 devname=FAZVMSTM20000000 dtime=2020-12-18 06:47:59 itime_t=1608270479

To query the log file's MD5 checksum in the CLI:
  1. Enter the following command in the FortiAnalyzer CLI:

    execute log-integrity <device_name> <vdom name> <log_name>

    For example:

    execute log-integrity FGVM01TM20000000 root tlog.1608279204.log.gz

    Integrity checking passed:

    MD5 checksum is [82598ec0086319db73bd0f9de2396047]

Secure Log Transfer

Optimized Fabric Transfer Protocol (OFTP) is a proprietary Fortinet protocol. It is used for connectivity, performing health checks, file transfers, and log display on FortiGate. OFTP listens on ports TCP514 and UDP514.

In the default configuration, there are two communication streams between FortiGate and FortiAnalyzer. OFTP communication is encrypted and log communication is not.

  • OFTP communication occurs on TCP514 using TLS.
  • Log communication occurs on UDP514 (default setting).

To secure log transfer, you can enable TCP and encryption. When enabled, logs are transferred securely between the FortiGate and FortiAnalyzer using TCP514 (TLS).


Configuring secure log transfer settings

To enable secure log transfer:
  1. In the FortiGate CLI, enter the following commands:

    configure log fortianalyzer setting

    set reliable enable

    end

Caution

Enabling secure log transfer over TCP will impact overall logging performance.

Note

OFTP SSL protocol supports SSLv3, TLSv1.0, TLSv1.2, and TLSv1.3 (default TLSv1.2).

Supported ciphers

The list of supported ciphers is determined when configuring enc_algorithm using the configure log fortianalyzer setting command in the FortiGate CLI.

The source code for supported ciphers is as follows:

  • [SSL_CIPHER_LEVEL_LOW] = "ALL:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_MEDIUM] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_HIGH] = "HIGH:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_DEFAULT] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_FIPS] = "AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:-DES:-RC4:-NULL:-MD5:-DSS:-aNULL:@STRENGTH",
  • [SSL_CIPHER_LEVEL_LOW + SSL_CIPHER_NOSKEY_OFFSET] = "ALL:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_MEDIUM + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_HIGH + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_DEFAULT + SSL_CIPHER_NOSKEY_OFFSET] = "HIGH:MEDIUM:-NULL:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,
  • [SSL_CIPHER_LEVEL_FIPS + SSL_CIPHER_NOSKEY_OFFSET] = "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:-DES:-RC4:-NULL:-MD5:-DSS:-aNULL:@STRENGTH" SSL_NO_STATIC_KEY_CIPHERS,