Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

Advanced logging

6.0.0

Copy Link

Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:379128

Download PDF

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

Log backup and restore tools

Local disk logs can now be backed up and restored to local files, using CLI commands:

execute log backup <filename>

execute log restore <filename>

Restoring logs will wipe the current log and report content off the disk.

Logs can also now be exported to a USB storage device, as LZ4 compressed files, from both CLI and GUI. When you insert a USB drive into the FortiGate's USB port, the USB menu will appear in the GUI. The menu shows the amount of storage on the USB disk, and the log file size, and you can select Copy to USB to copy the log data to the drive.

Configuring logging to multiple Syslog servers

A single remote Syslog server can be configured in the GUI, in Log & Report > Log Settings, but for a larger network, you will have to configure it in the CLI.

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure separate FortiAnalyzer unit or Syslog server for each VDOM.

To enable logging to multiple Syslog servers:

Log in to the CLI.
Enter the following commands:

config log syslogd setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the second Syslog server:

config log syslogd2 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the third Syslog server:

config log syslogd3 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the fourth Syslog server:

config log syslogd4 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set local-traffic {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

Log in to the CLI.
Enter the following command syntax:

config log fortianalyzer setting

set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery

end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.

note icon

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the GUI, from the License Information widget located in Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at Dashboard and that you have located the License Information widget.

In the License Information widget, select Activate in the FortiCloud section.
The Registration window appears. From this window, you create the login credentials that you will use to access the account.
Select Create Account and enter then information for the login credentials. After entering the login credentials, you are automatically logged in to your FortiCloud account.
Check that the account has been activated by viewing the account status from the License Information widget.

If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

The Log & Report > Log Settings GUI page displays two charts to visualize disk space: Disk Usage, which is a pie-chart illustrating the Free/Used space on the internal hard drive, and Historical Disk Usage, which displays the volume of disk logging activity over time. These charts may not be visible if disk logging is disabled.

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB

Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom "root": 30MB/22583MB

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right-click menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

OS Name
OS Version
Policy ID
Src (Source IP)

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Forward Traffic.

On the Forward Traffic page, right click anywhere on a column title.
Right click on a column title, and mouse over Column Settings to open the list.
Select each checkmarked title to uncheck it and remove them all from the displayed columns.
Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.
Click outside the menu, and wait for the page to refresh with the new settings in place.
Select the funnel icon next to the word Src in the title bar of the Src column.
Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.
Click Apply, and wait for the page to reload.

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

Log in to the CLI and then enter the following to configure the display of the DLP log messages:

execute log filter category 9

execute log filter start-line 1

execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the GUI. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.
Enter the following to view the log messages: execute log display
The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

Configuring NAC Quarantine logging

NAC Quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC Quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

To configure NAC quarantine logging

Go to Policy & Objects > IPv4 Policy.
Select the policy that you want to apply the Antivirus profile to, and then select Edit.
Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.
Select OK.
Log in to the CLI.
Enter the following to enable NAC Quarantine in the DLP sensor:

config antivirus profile

edit <profile_name>

config nac-quar log enable

end

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable

end

The Local-In Policy page will then be available in Policy & Objects > Local In Policy. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity	Traffic Direction	Description
FortiGuard update annoucements	IN	All push announcements of updates that are coming from the FortiGuard system. For example, IPS or AV updates.
FortiGuard update requests	OUT	All updates that are checking for antivirus or IPS as well as other FortiGuard service updates.
Firewall authentication	IN	The authentication made using either the GUI or CLI.
Central management (a FortiGate unit being managed by a FortiManager unit)	IN	The access that a FortiManager has managing the FortiGate unit.
DNS	IN	All DNS traffic.
DHCP/DHCP Relay	IN	All DHCP and/or DHCP Relay traffic.
HA (heart beat sync policy)	IN/OUT	For high-end platforms with a backplane heart beat port.
HA (Session sync policy)	IN/OUT	This will get information from the CMDB and updated by session sync daemon.
CAPWAP	IN	This activity is logged only when a HAVE_CAPWAP is defined.
Radius	IN	This is recorded only within FortiCarrier.
NETBIOS forward	IN	Any interface that NETBIOS forward is enabled on.
RIP	IN
OSPF	IN
VRRP	IN
BFD	IN
IGMP	IN	This is recorded only when PIM is enabled.
PIM	IN	This is recorded only when PIM is enabled.
BGP	IN	This is recorded only when config bgp and bgp neightbor is enabled in the CLI.
WCCP policy	IN	Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.
WAN Opt/ Web Cache	IN	Any interface where WAN Opt is enabled.
WANOpt Tunnel	IN	This is recorded when HAVE_WANOPT is defined.
SSL-VPN	IN	Any interface from a zone where the action in the policy is SSL VPN.
IPSEC	IN
L2TP	IN
PPTP	IN
VPD	IN	This is recorded only when FortiClient is enabled.
Web cache db test facility	IN	This is recorded only when WA_CS_REMOTE_TEST is defined.
GDBserver	IN	This is recorded only when debug is enabled.

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

Log in to the CLI and enter show webfilter profile default. This provides details about the webfilter profile being used by the security policy. In this example, the details (shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default

config webfilter profile

edit "default"

set comment "default web filtering"

set inspection-mode flow-based

set options https-scan

set post-action comfort

config web

set safe-search url

end

config ftgd-wf

config filters

edit 1

set action block

set category 2

next

edit 2

set action block

set category 7

next

edit 3

set action block

set category 8
Enter the following command syntax so that logging and the keyword for the safe search will be included in logging:

config webfilter profile

edit default

config web

set log-search enable

set keyword-match "fortinet" "easter" "easter bunny"

end

end
To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter. You can tell that the test works by going to Log & Report > Forward Traffic and viewing the log messages.

Interpreting and configuring FSSO syslog log messages

There are two syslog message formats: default and verbose. Verbose must be manually enabled as described below, but provides more general information.

Default syslog message format

The default FSSO syslog message format has no header, and is based on the specifications of RFC 3164. Messages only have two values, PRI (Priority) and MSG (Message), in the format of <PRI>MSG.

The content of PRI is as described in RFC 3164, but with specific parameters: the Facility value is always 1 (USER), unless 'Log logons in separate log' is enabled in the FSSO Collector Agent settings. In that case, those logon messages will have a Facility value of 4 or 10 (AUTH). The Severity value always matches the internal severity value of the log. PRI is enclosed in < > with no space following before MSG.

Verbose syslog message format

Verbose is a secondary message format that provides more information, including timestamp (with timezone).

In verbose mode, the log message follows the specifications of RFC 5424:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA/SD-ID MSG

PRI is formatted as described above in the default format.

Verbose FSSO syslog messages do not contain any data for MSGID, or STRUCTURED-DATA, so both of those two messages are recorded as a single hyphen character "-".

APP-NAME always appears as "collectoragent".

The other values are formatted as described in RFC 5424.

Enabling verbose syslog message mode

In order to enable the verbose syslog message mode, you must modify the registry on the PC that is hosting the FSSO Collector Agent.

In 64-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent

In 32-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent

Under this registry path, create a new DWORD (32bit) Value named syslog_using_rfc, and set its value to 1.

Advanced logging

Log backup and restore tools

Local disk logs can now be backed up and restored to local files, using CLI commands:

execute log backup <filename>

execute log restore <filename>

Restoring logs will wipe the current log and report content off the disk.

Configuring logging to multiple Syslog servers

A single remote Syslog server can be configured in the GUI, in Log & Report > Log Settings, but for a larger network, you will have to configure it in the CLI.

If VDOMs are enabled, you can configure separate FortiAnalyzer unit or Syslog server for each VDOM.

To enable logging to multiple Syslog servers:

Log in to the CLI.
Enter the following commands:

config log syslogd setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the second Syslog server:

config log syslogd2 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the third Syslog server:

config log syslogd3 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end
Enter the following commands to configure the fourth Syslog server:

config log syslogd4 setting

set csv {disable | enable}

set facility <facility_name>

set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set local-traffic {enable | disable}

set severity {alert | critical | debug | emergency | error | information | notification | warning}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

Log in to the CLI.
Enter the following command syntax:

config log fortianalyzer setting

set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery

end

note icon

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Activating a FortiCloud account for logging purposes

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at Dashboard and that you have located the License Information widget.

In the License Information widget, select Activate in the FortiCloud section.
The Registration window appears. From this window, you create the login credentials that you will use to access the account.
Select Create Account and enter then information for the login credentials. After entering the login credentials, you are automatically logged in to your FortiCloud account.
Check that the account has been activated by viewing the account status from the License Information widget.

If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB

Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom "root": 30MB/22583MB

Customizing and filtering log messages

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

OS Name
OS Version
Policy ID
Src (Source IP)

On the Forward Traffic page, right click anywhere on a column title.
Right click on a column title, and mouse over Column Settings to open the list.
Select each checkmarked title to uncheck it and remove them all from the displayed columns.
Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.
Click outside the menu, and wait for the page to refresh with the new settings in place.
Select the funnel icon next to the word Src in the title bar of the Src column.
Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.
Click Apply, and wait for the page to reload.

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

Log in to the CLI and then enter the following to configure the display of the DLP log messages:

execute log filter category 9

execute log filter start-line 1

execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the GUI. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.
Enter the following to view the log messages: execute log display
The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

Configuring NAC Quarantine logging

To configure NAC quarantine logging

Go to Policy & Objects > IPv4 Policy.
Select the policy that you want to apply the Antivirus profile to, and then select Edit.
Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.
Select OK.
Log in to the CLI.
Enter the following to enable NAC Quarantine in the DLP sensor:

config antivirus profile

edit <profile_name>

config nac-quar log enable

end

Logging local-in policies

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable

end

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity	Traffic Direction	Description
FortiGuard update annoucements	IN	All push announcements of updates that are coming from the FortiGuard system. For example, IPS or AV updates.
FortiGuard update requests	OUT	All updates that are checking for antivirus or IPS as well as other FortiGuard service updates.
Firewall authentication	IN	The authentication made using either the GUI or CLI.
Central management (a FortiGate unit being managed by a FortiManager unit)	IN	The access that a FortiManager has managing the FortiGate unit.
DNS	IN	All DNS traffic.
DHCP/DHCP Relay	IN	All DHCP and/or DHCP Relay traffic.
HA (heart beat sync policy)	IN/OUT	For high-end platforms with a backplane heart beat port.
HA (Session sync policy)	IN/OUT	This will get information from the CMDB and updated by session sync daemon.
CAPWAP	IN	This activity is logged only when a HAVE_CAPWAP is defined.
Radius	IN	This is recorded only within FortiCarrier.
NETBIOS forward	IN	Any interface that NETBIOS forward is enabled on.
RIP	IN
OSPF	IN
VRRP	IN
BFD	IN
IGMP	IN	This is recorded only when PIM is enabled.
PIM	IN	This is recorded only when PIM is enabled.
BGP	IN	This is recorded only when config bgp and bgp neightbor is enabled in the CLI.
WCCP policy	IN	Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.
WAN Opt/ Web Cache	IN	Any interface where WAN Opt is enabled.
WANOpt Tunnel	IN	This is recorded when HAVE_WANOPT is defined.
SSL-VPN	IN	Any interface from a zone where the action in the policy is SSL VPN.
IPSEC	IN
L2TP	IN
PPTP	IN
VPD	IN	This is recorded only when FortiClient is enabled.
Web cache db test facility	IN	This is recorded only when WA_CS_REMOTE_TEST is defined.
GDBserver	IN	This is recorded only when debug is enabled.

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

Log in to the CLI and enter show webfilter profile default. This provides details about the webfilter profile being used by the security policy. In this example, the details (shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default

config webfilter profile

edit "default"

set comment "default web filtering"

set inspection-mode flow-based

set options https-scan

set post-action comfort

config web

set safe-search url

end

config ftgd-wf

config filters

edit 1

set action block

set category 2

next

edit 2

set action block

set category 7

next

edit 3

set action block

set category 8
Enter the following command syntax so that logging and the keyword for the safe search will be included in logging:

config webfilter profile

edit default

config web

set log-search enable

set keyword-match "fortinet" "easter" "easter bunny"

end

end
To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter. You can tell that the test works by going to Log & Report > Forward Traffic and viewing the log messages.

Interpreting and configuring FSSO syslog log messages

There are two syslog message formats: default and verbose. Verbose must be manually enabled as described below, but provides more general information.

Default syslog message format

The default FSSO syslog message format has no header, and is based on the specifications of RFC 3164. Messages only have two values, PRI (Priority) and MSG (Message), in the format of <PRI>MSG.

Verbose syslog message format

Verbose is a secondary message format that provides more information, including timestamp (with timezone).

In verbose mode, the log message follows the specifications of RFC 5424:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA/SD-ID MSG

PRI is formatted as described above in the default format.

Verbose FSSO syslog messages do not contain any data for MSGID, or STRUCTURED-DATA, so both of those two messages are recorded as a single hyphen character "-".

APP-NAME always appears as "collectoragent".

The other values are formatted as described in RFC 5424.

Enabling verbose syslog message mode

In order to enable the verbose syslog message mode, you must modify the registry on the PC that is hosting the FSSO Collector Agent.

In 64-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent

In 32-bit Windows, locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\collectoragent

Under this registry path, create a new DWORD (32bit) Value named syslog_using_rfc, and set its value to 1.