Fortinet white logo
Fortinet white logo

Cookbook

Source and destination UUID logging

Source and destination UUID logging

The log-uuid setting in system global is split into two settings: log-uuid-address and log-uuid policy.

The traffic log includes two internet-service name fields: Source Internet Service (srcinetsvc) and Destination Internet Service (dstinetsvc).

Log UUIDs

UUIDs can be matched for each source and destination that match a policy that is added to the traffic log. This allows the address objects to be referenced in log analysis and reporting.

As this may consume a significant amount of storage space, this feature is optional. By default, policy UUID insertion is enabled and address UUID insertion is disabled.

To enable address and policy UUID insertion in traffic logs using the GUI:
  1. Go to Log & Report > Log Settings.
  2. Under UUIDs in Traffic Log, enable Policy and/or Address.
  3. Click Apply.

To enable address and policy UUID insertion in traffic logs using the CLI:
config system global	
   set log-uuid-address enable
   set log-uuid-policy enable
end

Sample forward traffic log:

# date=2019-01-25 time=11:32:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1528223575 srcip=192.168.1.183 srcname="PC24" srcport=33709 srcintf="lan" srcintfrole="lan" dstip=192.168.70.184 dstport=80 dstintf="wan1" dstintfrole="wan" srcuuid="27dd503e‑883c‑51e7‑ade1‑7e015d46494f" dstuuid="27dd503e-883c-51e7-ade1-7e015d46494f" poluuid="9e0fe24c‑1808‑51e8‑1257‑68ce4245572c" sessionid=5181 proto=6 action="client-rst" policyid=4 policytype="policy" service="HTTP" trandisp="snat" transip=192.168.70.228 transport=33709 appid=38783 app="Wget" appcat="General.Interest" apprisk="low" applist="default" duration=5 sentbyte=450 rcvdbyte=2305 sentpkt=6 wanin=368 wanout=130 lanin=130 lanout=130 utmaction="block" countav=2 countapp=1 crscore=50 craction=2 devtype="Linux PC" devcategory="None" osname="Linux" mastersrcmac="00:0c:29:36:5c:c3" srcmac="00:0c:29:36:5c:c3" srcserver=0 utmref=65523-1018

Internet service name fields

Traffic logs for internet-service include two fields: Source Internet Service and Destination Internet Service.

To view the internet-service fields using the GUI:
  1. Go to Log & Report > Forward Traffic.
  2. Double-click on an entry to view the Log Details. The Source Internet Service and Destination Internet Service fields are visible in the Log Details pane.

Sample internet-service name fields in a forward traffic log:

# date=2019-01-25 time=14:17:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1548454622 srcip=10.1.100.11 srcport=51112 srcintf="port3" srcintfrole="undefined" dstip=172.217.14.228 dstport=80 dstintf="port1" dstintfrole="undefined" poluuid="af519380-2094-51e9-391c-b78e8edbddfc" srcinetsvc="isdb-875099" dstinetsvc="Google.Gmail" sessionid=6930 proto=6 action="close" policyid=2 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=51112 duration=11 sentbyte=398 rcvdbyte=756 sentpkt=6 rcvdpkt=4 appcat="unscanned" devtype="Router/NAT Device" devcategory="Fortinet Device" mastersrcmac="90:6c:ac:41:7a:24" srcmac="90:6c:ac:41:7a:24" srcserver=0 dstdevtype="Unknown" dstdevcategory="Fortinet Device" masterdstmac="08:5b:0e:1f:ed:ed" dstmac="08:5b:0e:1f:ed:ed" dstserver=0

Source and destination UUID logging

Source and destination UUID logging

The log-uuid setting in system global is split into two settings: log-uuid-address and log-uuid policy.

The traffic log includes two internet-service name fields: Source Internet Service (srcinetsvc) and Destination Internet Service (dstinetsvc).

Log UUIDs

UUIDs can be matched for each source and destination that match a policy that is added to the traffic log. This allows the address objects to be referenced in log analysis and reporting.

As this may consume a significant amount of storage space, this feature is optional. By default, policy UUID insertion is enabled and address UUID insertion is disabled.

To enable address and policy UUID insertion in traffic logs using the GUI:
  1. Go to Log & Report > Log Settings.
  2. Under UUIDs in Traffic Log, enable Policy and/or Address.
  3. Click Apply.

To enable address and policy UUID insertion in traffic logs using the CLI:
config system global	
   set log-uuid-address enable
   set log-uuid-policy enable
end

Sample forward traffic log:

# date=2019-01-25 time=11:32:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1528223575 srcip=192.168.1.183 srcname="PC24" srcport=33709 srcintf="lan" srcintfrole="lan" dstip=192.168.70.184 dstport=80 dstintf="wan1" dstintfrole="wan" srcuuid="27dd503e‑883c‑51e7‑ade1‑7e015d46494f" dstuuid="27dd503e-883c-51e7-ade1-7e015d46494f" poluuid="9e0fe24c‑1808‑51e8‑1257‑68ce4245572c" sessionid=5181 proto=6 action="client-rst" policyid=4 policytype="policy" service="HTTP" trandisp="snat" transip=192.168.70.228 transport=33709 appid=38783 app="Wget" appcat="General.Interest" apprisk="low" applist="default" duration=5 sentbyte=450 rcvdbyte=2305 sentpkt=6 wanin=368 wanout=130 lanin=130 lanout=130 utmaction="block" countav=2 countapp=1 crscore=50 craction=2 devtype="Linux PC" devcategory="None" osname="Linux" mastersrcmac="00:0c:29:36:5c:c3" srcmac="00:0c:29:36:5c:c3" srcserver=0 utmref=65523-1018

Internet service name fields

Traffic logs for internet-service include two fields: Source Internet Service and Destination Internet Service.

To view the internet-service fields using the GUI:
  1. Go to Log & Report > Forward Traffic.
  2. Double-click on an entry to view the Log Details. The Source Internet Service and Destination Internet Service fields are visible in the Log Details pane.

Sample internet-service name fields in a forward traffic log:

# date=2019-01-25 time=14:17:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1548454622 srcip=10.1.100.11 srcport=51112 srcintf="port3" srcintfrole="undefined" dstip=172.217.14.228 dstport=80 dstintf="port1" dstintfrole="undefined" poluuid="af519380-2094-51e9-391c-b78e8edbddfc" srcinetsvc="isdb-875099" dstinetsvc="Google.Gmail" sessionid=6930 proto=6 action="close" policyid=2 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=51112 duration=11 sentbyte=398 rcvdbyte=756 sentpkt=6 rcvdpkt=4 appcat="unscanned" devtype="Router/NAT Device" devcategory="Fortinet Device" mastersrcmac="90:6c:ac:41:7a:24" srcmac="90:6c:ac:41:7a:24" srcserver=0 dstdevtype="Unknown" dstdevcategory="Fortinet Device" masterdstmac="08:5b:0e:1f:ed:ed" dstmac="08:5b:0e:1f:ed:ed" dstserver=0