Fortinet black logo

Handbook

Traffic logging

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:111593
Download PDF

Traffic logging

When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance.

Depending on what the FortiGate unit has in the way of resources, there may be advantages in optimizing the amount of logging taking places. This is why in each policy you are given 3 options for the logging:

  • Disable Log Allowed Traffic - Does not record any log messages about traffic accepted by this policy.

If you enable Log Allowed Traffic, the following two options are available:

  • Security Events - This records only log messages relating to security events caused by traffic accepted by this policy.
  • All Sessions - This records all log messages relating to all of the traffic accepted by this policy.

Depending on the model, if the Log all Sessions option is selected there may be 2 additional options. These options are normally available in the GUI on the higher end models such as the FortiGate 600C or larger.

  • Generate Logs when Session Starts
  • Capture Packets

You can also use the CLI to enter the following command to write a log message when a session starts:

config firewall policy

edit <policy-index>

set logtraffic-start

end

Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message.

2011-04-13

05:23:47

log_id=4

type=traffic

subtype=other

pri=notice

vd=root

status="start"

src="10.41.101.20"

srcname="10.41.101.20"

src_port=58115

dst="172.20.120.100"

dstname="172.20.120.100"

dst_country="N/A"

dst_port=137

tran_ip="N/A"

tran_port=0

tran_sip="10.31.101.41"

tran_sport=58115

service="137/udp"

proto=17

app_type="N/A"

duration=0

rule=1

policyid=1

sent=0

rcvd=0

shaper_drop_sent=0

shaper_drop_rcvd=0

perip_drop=0

src_int="internal"

dst_int="wan1"

SN=97404 app="N/A"

app_cat="N/A"

carrier_ep="N/A"

If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.

Traffic logging

When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance.

Depending on what the FortiGate unit has in the way of resources, there may be advantages in optimizing the amount of logging taking places. This is why in each policy you are given 3 options for the logging:

  • Disable Log Allowed Traffic - Does not record any log messages about traffic accepted by this policy.

If you enable Log Allowed Traffic, the following two options are available:

  • Security Events - This records only log messages relating to security events caused by traffic accepted by this policy.
  • All Sessions - This records all log messages relating to all of the traffic accepted by this policy.

Depending on the model, if the Log all Sessions option is selected there may be 2 additional options. These options are normally available in the GUI on the higher end models such as the FortiGate 600C or larger.

  • Generate Logs when Session Starts
  • Capture Packets

You can also use the CLI to enter the following command to write a log message when a session starts:

config firewall policy

edit <policy-index>

set logtraffic-start

end

Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message.

2011-04-13

05:23:47

log_id=4

type=traffic

subtype=other

pri=notice

vd=root

status="start"

src="10.41.101.20"

srcname="10.41.101.20"

src_port=58115

dst="172.20.120.100"

dstname="172.20.120.100"

dst_country="N/A"

dst_port=137

tran_ip="N/A"

tran_port=0

tran_sip="10.31.101.41"

tran_sport=58115

service="137/udp"

proto=17

app_type="N/A"

duration=0

rule=1

policyid=1

sent=0

rcvd=0

shaper_drop_sent=0

shaper_drop_rcvd=0

perip_drop=0

src_int="internal"

dst_int="wan1"

SN=97404 app="N/A"

app_cat="N/A"

carrier_ep="N/A"

If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.