Fortinet black logo

Handbook

Logging

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:289288
Download PDF

Logging

FortiOS provides a robust logging environment that enables you to monitor, store, and report traffic information and FortiGate events, including attempted log ins and hardware status. Depending on your requirements, you can log to a number of different hosts.

To configure logging in the GUI, go to Log & Report > Log Settings.

To configure logging in the CLI use the commands config log <log_location>.

For details on configuring logging see the Logging and Reporting Guide.

If you will be using several FortiGate units, you can also use a FortiAnalyzer unit for logging. For more information, see the FortiAnalyzer Administration Guide.

Syslog server

An industry standard for collecting log messages, for off-site storage. In the GUI, you are able to send logs to a single syslog server, however in the CLI you can configure up to three syslog servers where you can also use multiple configuration options. For example, send traffic logs to one server, antivirus logs to another. The FortiGate unit sends Syslog traffic over UDP port 514. Note that if a secure tunnel is configured for communication to a FortiAnalyzer unit, then Syslog traffic will be sent over an IPsec connection, using UPD 500/4500, Protocol IP/50.

To configure a Syslog server in the GUI, go to Log & Report > Log Settings. In the CLI use the commands:

config log syslogd setting

set status enable

set server <IP address or FQDN of syslog server>

end

Further options are available when enabled to configure a different port, facility and server IP address.

For Syslog traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source‑ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a Syslog server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log syslogd setting

set status enable

set source-ip 192.168.4.5

end

FortiToken extension to comply with PCI 3.2

For FortiToken to be PCI 3.2 compliant, multi-factor authentication with FortiOS can be globally enforced for all login methods under config system global.

When multi-factor-authentication is set to mandatory, the system will collect and log each factor (username, password, and OTP) after authentication.

Note that even if a user is not configured with two-factor authentication, an empty OTP (or any OTP entered) will make second factor authentication pass.

Syntax:

config system global

set multi-factor-authentication {optional | mandatory} - (Default is set to optional)

end

Logging

FortiOS provides a robust logging environment that enables you to monitor, store, and report traffic information and FortiGate events, including attempted log ins and hardware status. Depending on your requirements, you can log to a number of different hosts.

To configure logging in the GUI, go to Log & Report > Log Settings.

To configure logging in the CLI use the commands config log <log_location>.

For details on configuring logging see the Logging and Reporting Guide.

If you will be using several FortiGate units, you can also use a FortiAnalyzer unit for logging. For more information, see the FortiAnalyzer Administration Guide.

Syslog server

An industry standard for collecting log messages, for off-site storage. In the GUI, you are able to send logs to a single syslog server, however in the CLI you can configure up to three syslog servers where you can also use multiple configuration options. For example, send traffic logs to one server, antivirus logs to another. The FortiGate unit sends Syslog traffic over UDP port 514. Note that if a secure tunnel is configured for communication to a FortiAnalyzer unit, then Syslog traffic will be sent over an IPsec connection, using UPD 500/4500, Protocol IP/50.

To configure a Syslog server in the GUI, go to Log & Report > Log Settings. In the CLI use the commands:

config log syslogd setting

set status enable

set server <IP address or FQDN of syslog server>

end

Further options are available when enabled to configure a different port, facility and server IP address.

For Syslog traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source‑ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a Syslog server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log syslogd setting

set status enable

set source-ip 192.168.4.5

end

FortiToken extension to comply with PCI 3.2

For FortiToken to be PCI 3.2 compliant, multi-factor authentication with FortiOS can be globally enforced for all login methods under config system global.

When multi-factor-authentication is set to mandatory, the system will collect and log each factor (username, password, and OTP) after authentication.

Note that even if a user is not configured with two-factor authentication, an empty OTP (or any OTP entered) will make second factor authentication pass.

Syntax:

config system global

set multi-factor-authentication {optional | mandatory} - (Default is set to optional)

end