Fortinet black logo

New Features

WAD and Proxyd SSL logging improvement

WAD and Proxyd SSL logging improvement

During deep inspection and certificate inspection, various logs generated from certificate issues now use a consistent log format. Additional details have also been added to these logs. A new option, ssl-negotiation-log, captures results of unsupported SSL negotiations.

SSL/SSH protocol options:

A new option, set ssl-negotiation-log {enable | disable}, was added to the option set.

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log {enable | disable}

set ssl-exemptions-log {enable | disable}

set ssl-negotiation-log {enable | disable}

next

end

To log invalid certificates:

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log enable

next

end

FortiGate will generate the ssl anomalies log when traffic triggers ssl certificate anomalies.

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the server certificate CN are the same.
  • The msg field in the SSL UTM logs are similar.
Log type HTTP SMTPS
Traffic log 1: date=2020-02-06 time=10:54:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015276280004271 tz="-0800" srcip=10.1.100.66 srcport=45068 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95917 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=45068 duration=5 sentbyte=931 rcvdbyte=6818 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=0 wanout=0 lanin=696 lanout=696 utmaction="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65503-98 6: date=2020-02-06 time=11:02:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015777090002933 tz="-0800" srcip=10.1.100.66 srcport=57522 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=96269 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=57522 duration=5 sentbyte=597 rcvdbyte=216 sentpkt=6 rcvdpkt=4 appcat="unscanned" utmaction="block" countssl=1 utmref=65500-0
SSL UTM log 1: date=2020-02-06 time=10:54:31 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015271212451397 tz="-0800" action="blocked" policyid=1 sessionid=95917 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=45068 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired." hostname="invalid.fortinet.com" 1: date=2020-02-06 time=11:02:52 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015771995913532 tz="-0800" action="blocked" policyid=1 sessionid=96269 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57522 dstip=172.16.200.99 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired untrusted validation_failure." hostname="invalid.fortinet.com"
To log SSL Exemptions based on FortiGuard categories:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-exemptions-log enable

next

end

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the msg are the same.
  • A server certificate CN is added to the log.
Note

FortiGate records the wrong category ID and description in the HTTPS version of the ssl utm log. This is a known issue.

Log type HTTPS SMTPS
Traffic log 8: date=2020-02-06 time=15:46:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581032769970002679 tz="-0800" srcip=10.1.100.66 srcport=57116 srcintf="port2" srcintfrole="undefined" dstip=52.52.208.2 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=107685 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=57116 duration=1 sentbyte=1925 rcvdbyte=7736 sentpkt=13 rcvdpkt=13 appcat="unscanned" wanin=0 wanout=0 lanin=1241 lanout=1241 utmaction="allow" countssl=1 utmref=65476-42 1: date=2020-02-07 time=10:39:20 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581100760770003429 tz="-0800" srcip=10.1.100.66 srcport=42638 srcintf="port2" srcintfrole="undefined" dstip=74.125.195.109 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=139840 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=42638 duration=1 sentbyte=896 rcvdbyte=3392 sentpkt=9 rcvdpkt=7 appcat="unscanned" utmaction="allow" countssl=1 utmref=65470-0
SSL UTM log 1: date=2020-02-06 time=15:46:08 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581032768540281919 tz="-0800" action="exempt" policyid=1 sessionid=107685 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57116 dstip=52.52.208.2 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=1 catdesc="Drug Abuse" hostname="www.fortinet.com" msg="SSL connection is exempted based on category rating." 1: date=2020-02-07 time=10:39:19 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581100759642872145 tz="-0800" action="exempt" policyid=1 sessionid=139840 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=42638 dstip=74.125.195.109 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=23 catdesc="Web-based Email" hostname="smtp.gmail.com" msg="SSL connection is exempted based on category rating."
To log unsupported SSL negotiation:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-negotiation-log enable

next

end

The logid and msg fields are the same in the HTTPS and IMAPS version of the traffic and ssl utm logs:

Log type HTTPS IMAPS
Traffic log 1: date=2020-02-07 time=11:10:59 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102659640002285 tz="-0800" srcip=10.1.100.66 srcport=33666 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8080 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141224 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8080" trandisp="snat" transip=172.16.200.7 transport=33666 duration=1 sentbyte=216 rcvdbyte=216 sentpkt=4 rcvdpkt=4 appcat="unscanned" wanin=0 wanout=0 lanin=82 lanout=82 utmaction="block" countssl=1 utmref=65464-0 16: date=2020-02-07 time=11:06:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102415810001699 tz="-0800" srcip=10.1.100.66 srcport=58162 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8143 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141051 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8143" trandisp="snat" transip=172.16.200.7 transport=58162 duration=5 sentbyte=216 rcvdbyte=164 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="block" countssl=1 utmref=65467-0
SSL UTM log 1: date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked." 1: date=2020-02-07 time=11:06:50 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102410702684472 tz="-0800" action="blocked" policyid=1 sessionid=141051 service="IMAPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=58162 dstip=172.16.200.99 dstport=8143 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."

WAD and Proxyd SSL logging improvement

During deep inspection and certificate inspection, various logs generated from certificate issues now use a consistent log format. Additional details have also been added to these logs. A new option, ssl-negotiation-log, captures results of unsupported SSL negotiations.

SSL/SSH protocol options:

A new option, set ssl-negotiation-log {enable | disable}, was added to the option set.

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log {enable | disable}

set ssl-exemptions-log {enable | disable}

set ssl-negotiation-log {enable | disable}

next

end

To log invalid certificates:

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log enable

next

end

FortiGate will generate the ssl anomalies log when traffic triggers ssl certificate anomalies.

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the server certificate CN are the same.
  • The msg field in the SSL UTM logs are similar.
Log type HTTP SMTPS
Traffic log 1: date=2020-02-06 time=10:54:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015276280004271 tz="-0800" srcip=10.1.100.66 srcport=45068 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95917 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=45068 duration=5 sentbyte=931 rcvdbyte=6818 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=0 wanout=0 lanin=696 lanout=696 utmaction="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65503-98 6: date=2020-02-06 time=11:02:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015777090002933 tz="-0800" srcip=10.1.100.66 srcport=57522 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=96269 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=57522 duration=5 sentbyte=597 rcvdbyte=216 sentpkt=6 rcvdpkt=4 appcat="unscanned" utmaction="block" countssl=1 utmref=65500-0
SSL UTM log 1: date=2020-02-06 time=10:54:31 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015271212451397 tz="-0800" action="blocked" policyid=1 sessionid=95917 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=45068 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired." hostname="invalid.fortinet.com" 1: date=2020-02-06 time=11:02:52 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015771995913532 tz="-0800" action="blocked" policyid=1 sessionid=96269 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57522 dstip=172.16.200.99 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired untrusted validation_failure." hostname="invalid.fortinet.com"
To log SSL Exemptions based on FortiGuard categories:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-exemptions-log enable

next

end

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the msg are the same.
  • A server certificate CN is added to the log.
Note

FortiGate records the wrong category ID and description in the HTTPS version of the ssl utm log. This is a known issue.

Log type HTTPS SMTPS
Traffic log 8: date=2020-02-06 time=15:46:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581032769970002679 tz="-0800" srcip=10.1.100.66 srcport=57116 srcintf="port2" srcintfrole="undefined" dstip=52.52.208.2 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=107685 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=57116 duration=1 sentbyte=1925 rcvdbyte=7736 sentpkt=13 rcvdpkt=13 appcat="unscanned" wanin=0 wanout=0 lanin=1241 lanout=1241 utmaction="allow" countssl=1 utmref=65476-42 1: date=2020-02-07 time=10:39:20 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581100760770003429 tz="-0800" srcip=10.1.100.66 srcport=42638 srcintf="port2" srcintfrole="undefined" dstip=74.125.195.109 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=139840 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=42638 duration=1 sentbyte=896 rcvdbyte=3392 sentpkt=9 rcvdpkt=7 appcat="unscanned" utmaction="allow" countssl=1 utmref=65470-0
SSL UTM log 1: date=2020-02-06 time=15:46:08 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581032768540281919 tz="-0800" action="exempt" policyid=1 sessionid=107685 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57116 dstip=52.52.208.2 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=1 catdesc="Drug Abuse" hostname="www.fortinet.com" msg="SSL connection is exempted based on category rating." 1: date=2020-02-07 time=10:39:19 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581100759642872145 tz="-0800" action="exempt" policyid=1 sessionid=139840 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=42638 dstip=74.125.195.109 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=23 catdesc="Web-based Email" hostname="smtp.gmail.com" msg="SSL connection is exempted based on category rating."
To log unsupported SSL negotiation:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-negotiation-log enable

next

end

The logid and msg fields are the same in the HTTPS and IMAPS version of the traffic and ssl utm logs:

Log type HTTPS IMAPS
Traffic log 1: date=2020-02-07 time=11:10:59 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102659640002285 tz="-0800" srcip=10.1.100.66 srcport=33666 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8080 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141224 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8080" trandisp="snat" transip=172.16.200.7 transport=33666 duration=1 sentbyte=216 rcvdbyte=216 sentpkt=4 rcvdpkt=4 appcat="unscanned" wanin=0 wanout=0 lanin=82 lanout=82 utmaction="block" countssl=1 utmref=65464-0 16: date=2020-02-07 time=11:06:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102415810001699 tz="-0800" srcip=10.1.100.66 srcport=58162 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8143 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141051 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8143" trandisp="snat" transip=172.16.200.7 transport=58162 duration=5 sentbyte=216 rcvdbyte=164 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="block" countssl=1 utmref=65467-0
SSL UTM log 1: date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked." 1: date=2020-02-07 time=11:06:50 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102410702684472 tz="-0800" action="blocked" policyid=1 sessionid=141051 service="IMAPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=58162 dstip=172.16.200.99 dstport=8143 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."