Fortinet black logo

New Features

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Add fields to correlate between traffic, GTP, and UTM logs 6.4.2

Add fields to correlate between traffic, GTP, and UTM logs 6.4.2

The tunnel ID is added to traffic and GTP logs for GTP-related traffic in order to correlate the sessions. The session ID can be used to correlate between traffic logs and UTM logs. This feature requires IPS Engine version 6.026 and later.

The following diagnose commands have been added:

diagnose ips share list gtp-u_db

diagnose ips gtp {list | clear | stats | stats-clear} [vdom]

Sample CLI output:
(global) # diagnose ips share list gtp-u_db
GTP-U: vf:1 uplink:1 downlink:1 expiry:275
GTP-C: uplink:1 downlink:1 pid:507
(global) # diagnose ips gtp list 1

path:1  vd:1  172.16.200.61:2123  10.1.100.60:2123  echo:0  expiry:358
  tunnel 1:  uteid:1  dteid:1  expiry:58
    bearer 1:  uteid:1  dteid:1
Sample traffic log:
(vdom1) # execute log filter category 0
(vdom1) # execute log display 
3 logs found.
3 logs returned.

1: date=2020-07-03 time=17:52:26 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823946988134933 tz="-0700" srcip=10.1.100.60 srcport=2152 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.61 dstport=2152 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=450 proto=17 action="accept" policyid=1 policytype="policy" poluuid="74b34458-bcbf-51ea-f0ec-1a54736a54c1" policyname="11" service="GTP" trandisp="noop" duration=334 sentbyte=4435 rcvdbyte=5351 sentpkt=31 rcvdpkt=23 appcat="unscanned" sentdelta=184 rcvddelta=820 utmref=0-42

2: date=2020-07-03 time=17:51:27 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823887326990647 tz="-0700" srcip=192.168.0.2 srcport=57913 srcintf="port2" srcintfrole="undefined" dstip=192.168.0.1 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=5 proto=6 action="accept" policyid=1 policytype="policy" policyname="11" tunnelid=1 service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=179 sentbyte=147 rcvdbyte=318 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countips=1 utmref=0-28

3: date=2020-07-03 time=17:50:30 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823830269870321 tz="-0700" srcip=192.168.0.2 srcport=37029 srcintf="port2" srcintfrole="undefined" dstip=192.168.0.1 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=3 proto=6 action="accept" policyid=1 policytype="policy" policyname="11" tunnelid=1 service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=213 sentbyte=138 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="block" countapp=1 utmref=0-14
Sample GTP log:
19: date=2020-07-03 time=17:48:27 logid="1400041229" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593823707831428535 tz="-0700" profile="gtpp" status="forwarded" version=1 msg-type=255 from=172.16.200.61 to=10.1.100.60 srcport=2152 dstport=2152 headerteid=1 tunnel-idx=1 imsi="310150123456789" msisdn="6044301297" apn="unknown"
47: date=2020-07-03 time=17:46:56 logid="1400041229" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593823616760095386 tz="-0700" profile="gtpp" status="forwarded" version=1 msg-type=255 from=10.1.100.60 to=172.16.200.61 srcport=2152 dstport=2152 headerteid=1 tunnel-idx=1 imsi="310150123456789" msisdn="6044301297" apn="unknown"
Sample matched UTM log:
(vdom1)# execute log detail 4 0-28
1 logs found.
1 logs returned.

1: date=2020-07-03 time=17:48:27 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1593823707631357842 tz="-0700" severity="info" srcip=192.168.0.2 srccountry="Reserved" dstip=192.168.0.1 sessionid=5 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=57913 dstport=80 hostname="192.168.0.1" url="/eicar.com" direction="incoming" attackid=29844 profile="gtp-ips-profile" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=155189252 msg="file_transfer: Eicar.Virus.Test.File,"
(vdom1) # execute log detail 10 0-14
1 logs found.
1 logs returned.

1: date=2020-07-03 time=17:46:56 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vdom1" eventtime=1593823616148659619 tz="-0700" appid=15893 srcip=192.168.0.2 dstip=192.168.0.1 srcport=37029 dstport=80 proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=3 applist="gtp-appctrl-profile" action="block" appcat="Web.Client" app="HTTP.BROWSER" hostname="192.168.0.1" incidentserialno=155189251 url="/" msg="Web.Client: HTTP.BROWSER," apprisk="medium"
Previous
Next

Add fields to correlate between traffic, GTP, and UTM logs 6.4.2

The tunnel ID is added to traffic and GTP logs for GTP-related traffic in order to correlate the sessions. The session ID can be used to correlate between traffic logs and UTM logs. This feature requires IPS Engine version 6.026 and later.

The following diagnose commands have been added:

diagnose ips share list gtp-u_db

diagnose ips gtp {list | clear | stats | stats-clear} [vdom]

Sample CLI output:
(global) # diagnose ips share list gtp-u_db
GTP-U: vf:1 uplink:1 downlink:1 expiry:275
GTP-C: uplink:1 downlink:1 pid:507
(global) # diagnose ips gtp list 1

path:1  vd:1  172.16.200.61:2123  10.1.100.60:2123  echo:0  expiry:358
  tunnel 1:  uteid:1  dteid:1  expiry:58
    bearer 1:  uteid:1  dteid:1
Sample traffic log:
(vdom1) # execute log filter category 0
(vdom1) # execute log display 
3 logs found.
3 logs returned.

1: date=2020-07-03 time=17:52:26 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823946988134933 tz="-0700" srcip=10.1.100.60 srcport=2152 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.61 dstport=2152 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=450 proto=17 action="accept" policyid=1 policytype="policy" poluuid="74b34458-bcbf-51ea-f0ec-1a54736a54c1" policyname="11" service="GTP" trandisp="noop" duration=334 sentbyte=4435 rcvdbyte=5351 sentpkt=31 rcvdpkt=23 appcat="unscanned" sentdelta=184 rcvddelta=820 utmref=0-42

2: date=2020-07-03 time=17:51:27 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823887326990647 tz="-0700" srcip=192.168.0.2 srcport=57913 srcintf="port2" srcintfrole="undefined" dstip=192.168.0.1 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=5 proto=6 action="accept" policyid=1 policytype="policy" policyname="11" tunnelid=1 service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=179 sentbyte=147 rcvdbyte=318 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countips=1 utmref=0-28

3: date=2020-07-03 time=17:50:30 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1593823830269870321 tz="-0700" srcip=192.168.0.2 srcport=37029 srcintf="port2" srcintfrole="undefined" dstip=192.168.0.1 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=3 proto=6 action="accept" policyid=1 policytype="policy" policyname="11" tunnelid=1 service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=213 sentbyte=138 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="block" countapp=1 utmref=0-14
Sample GTP log:
19: date=2020-07-03 time=17:48:27 logid="1400041229" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593823707831428535 tz="-0700" profile="gtpp" status="forwarded" version=1 msg-type=255 from=172.16.200.61 to=10.1.100.60 srcport=2152 dstport=2152 headerteid=1 tunnel-idx=1 imsi="310150123456789" msisdn="6044301297" apn="unknown"
47: date=2020-07-03 time=17:46:56 logid="1400041229" type="gtp" subtype="gtp-all" level="information" vd="vdom1" eventtime=1593823616760095386 tz="-0700" profile="gtpp" status="forwarded" version=1 msg-type=255 from=10.1.100.60 to=172.16.200.61 srcport=2152 dstport=2152 headerteid=1 tunnel-idx=1 imsi="310150123456789" msisdn="6044301297" apn="unknown"
Sample matched UTM log:
(vdom1)# execute log detail 4 0-28
1 logs found.
1 logs returned.

1: date=2020-07-03 time=17:48:27 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" eventtime=1593823707631357842 tz="-0700" severity="info" srcip=192.168.0.2 srccountry="Reserved" dstip=192.168.0.1 sessionid=5 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=57913 dstport=80 hostname="192.168.0.1" url="/eicar.com" direction="incoming" attackid=29844 profile="gtp-ips-profile" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=155189252 msg="file_transfer: Eicar.Virus.Test.File,"
(vdom1) # execute log detail 10 0-14
1 logs found.
1 logs returned.

1: date=2020-07-03 time=17:46:56 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vdom1" eventtime=1593823616148659619 tz="-0700" appid=15893 srcip=192.168.0.2 dstip=192.168.0.1 srcport=37029 dstport=80 proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=3 applist="gtp-appctrl-profile" action="block" appcat="Web.Client" app="HTTP.BROWSER" hostname="192.168.0.1" incidentserialno=155189251 url="/" msg="Web.Client: HTTP.BROWSER," apprisk="medium"
Previous
Next