Fortinet black logo

New Features

Home FortiGate / FortiOS 6.4.0 New Features

WAD and Proxyd SSL logging improvement

6.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID de1e129a-0283-11ea-8977-00505692583a:644768
Download PDF

WAD and Proxyd SSL logging improvement

During deep inspection and certificate inspection, various logs generated from certificate issues now use a consistent log format. Additional details have also been added to these logs. A new option, ssl-negotiation-log, captures results of unsupported SSL negotiations.

SSL/SSH protocol options:

A new option, set ssl-negotiation-log {enable | disable}, was added to the option set.

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log {enable | disable}

set ssl-exemptions-log {enable | disable}

set ssl-negotiation-log {enable | disable}

next

end

To log invalid certificates:

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log enable

next

end

FortiGate will generate the ssl anomalies log when traffic triggers ssl certificate anomalies.

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the server certificate CN are the same.
  • The msg field in the SSL UTM logs are similar.
Log type HTTP SMTPS
Traffic log 1: date=2020-02-06 time=10:54:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015276280004271 tz="-0800" srcip=10.1.100.66 srcport=45068 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95917 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=45068 duration=5 sentbyte=931 rcvdbyte=6818 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=0 wanout=0 lanin=696 lanout=696 utmaction="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65503-98 6: date=2020-02-06 time=11:02:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015777090002933 tz="-0800" srcip=10.1.100.66 srcport=57522 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=96269 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=57522 duration=5 sentbyte=597 rcvdbyte=216 sentpkt=6 rcvdpkt=4 appcat="unscanned" utmaction="block" countssl=1 utmref=65500-0
SSL UTM log 1: date=2020-02-06 time=10:54:31 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015271212451397 tz="-0800" action="blocked" policyid=1 sessionid=95917 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=45068 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired." hostname="invalid.fortinet.com" 1: date=2020-02-06 time=11:02:52 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015771995913532 tz="-0800" action="blocked" policyid=1 sessionid=96269 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57522 dstip=172.16.200.99 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired untrusted validation_failure." hostname="invalid.fortinet.com"
To log SSL Exemptions based on FortiGuard categories:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-exemptions-log enable

next

end

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the msg are the same.
  • A server certificate CN is added to the log.
Note

FortiGate records the wrong category ID and description in the HTTPS version of the ssl utm log. This is a known issue.
Log type HTTPS SMTPS
Traffic log 8: date=2020-02-06 time=15:46:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581032769970002679 tz="-0800" srcip=10.1.100.66 srcport=57116 srcintf="port2" srcintfrole="undefined" dstip=52.52.208.2 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=107685 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=57116 duration=1 sentbyte=1925 rcvdbyte=7736 sentpkt=13 rcvdpkt=13 appcat="unscanned" wanin=0 wanout=0 lanin=1241 lanout=1241 utmaction="allow" countssl=1 utmref=65476-42 1: date=2020-02-07 time=10:39:20 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581100760770003429 tz="-0800" srcip=10.1.100.66 srcport=42638 srcintf="port2" srcintfrole="undefined" dstip=74.125.195.109 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=139840 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=42638 duration=1 sentbyte=896 rcvdbyte=3392 sentpkt=9 rcvdpkt=7 appcat="unscanned" utmaction="allow" countssl=1 utmref=65470-0
SSL UTM log 1: date=2020-02-06 time=15:46:08 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581032768540281919 tz="-0800" action="exempt" policyid=1 sessionid=107685 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57116 dstip=52.52.208.2 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=1 catdesc="Drug Abuse" hostname="www.fortinet.com" msg="SSL connection is exempted based on category rating." 1: date=2020-02-07 time=10:39:19 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581100759642872145 tz="-0800" action="exempt" policyid=1 sessionid=139840 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=42638 dstip=74.125.195.109 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=23 catdesc="Web-based Email" hostname="smtp.gmail.com" msg="SSL connection is exempted based on category rating."
To log unsupported SSL negotiation:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-negotiation-log enable

next

end

The logid and msg fields are the same in the HTTPS and IMAPS version of the traffic and ssl utm logs:

Log type HTTPS IMAPS
Traffic log 1: date=2020-02-07 time=11:10:59 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102659640002285 tz="-0800" srcip=10.1.100.66 srcport=33666 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8080 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141224 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8080" trandisp="snat" transip=172.16.200.7 transport=33666 duration=1 sentbyte=216 rcvdbyte=216 sentpkt=4 rcvdpkt=4 appcat="unscanned" wanin=0 wanout=0 lanin=82 lanout=82 utmaction="block" countssl=1 utmref=65464-0 16: date=2020-02-07 time=11:06:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102415810001699 tz="-0800" srcip=10.1.100.66 srcport=58162 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8143 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141051 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8143" trandisp="snat" transip=172.16.200.7 transport=58162 duration=5 sentbyte=216 rcvdbyte=164 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="block" countssl=1 utmref=65467-0
SSL UTM log 1: date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked." 1: date=2020-02-07 time=11:06:50 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102410702684472 tz="-0800" action="blocked" policyid=1 sessionid=141051 service="IMAPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=58162 dstip=172.16.200.99 dstport=8143 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."
Previous
Next

WAD and Proxyd SSL logging improvement

During deep inspection and certificate inspection, various logs generated from certificate issues now use a consistent log format. Additional details have also been added to these logs. A new option, ssl-negotiation-log, captures results of unsupported SSL negotiations.

SSL/SSH protocol options:

A new option, set ssl-negotiation-log {enable | disable}, was added to the option set.

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log {enable | disable}

set ssl-exemptions-log {enable | disable}

set ssl-negotiation-log {enable | disable}

next

end

To log invalid certificates:

config firewall ssl-ssh-profile

edit "deep-inspection"

set ssl-anomalies-log enable

next

end

FortiGate will generate the ssl anomalies log when traffic triggers ssl certificate anomalies.

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the server certificate CN are the same.
  • The msg field in the SSL UTM logs are similar.
Log type HTTP SMTPS
Traffic log 1: date=2020-02-06 time=10:54:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015276280004271 tz="-0800" srcip=10.1.100.66 srcport=45068 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95917 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=45068 duration=5 sentbyte=931 rcvdbyte=6818 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=0 wanout=0 lanin=696 lanout=696 utmaction="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65503-98 6: date=2020-02-06 time=11:02:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015777090002933 tz="-0800" srcip=10.1.100.66 srcport=57522 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=96269 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=57522 duration=5 sentbyte=597 rcvdbyte=216 sentpkt=6 rcvdpkt=4 appcat="unscanned" utmaction="block" countssl=1 utmref=65500-0
SSL UTM log 1: date=2020-02-06 time=10:54:31 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015271212451397 tz="-0800" action="blocked" policyid=1 sessionid=95917 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=45068 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired." hostname="invalid.fortinet.com" 1: date=2020-02-06 time=11:02:52 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015771995913532 tz="-0800" action="blocked" policyid=1 sessionid=96269 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57522 dstip=172.16.200.99 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired untrusted validation_failure." hostname="invalid.fortinet.com"
To log SSL Exemptions based on FortiGuard categories:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-exemptions-log enable

next

end

In the HTTPS and SMTPS version of the traffic and ssl utm logs:

  • The logid and the msg are the same.
  • A server certificate CN is added to the log.
Note

FortiGate records the wrong category ID and description in the HTTPS version of the ssl utm log. This is a known issue.
Log type HTTPS SMTPS
Traffic log 8: date=2020-02-06 time=15:46:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581032769970002679 tz="-0800" srcip=10.1.100.66 srcport=57116 srcintf="port2" srcintfrole="undefined" dstip=52.52.208.2 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=107685 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=57116 duration=1 sentbyte=1925 rcvdbyte=7736 sentpkt=13 rcvdpkt=13 appcat="unscanned" wanin=0 wanout=0 lanin=1241 lanout=1241 utmaction="allow" countssl=1 utmref=65476-42 1: date=2020-02-07 time=10:39:20 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581100760770003429 tz="-0800" srcip=10.1.100.66 srcport=42638 srcintf="port2" srcintfrole="undefined" dstip=74.125.195.109 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=139840 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=42638 duration=1 sentbyte=896 rcvdbyte=3392 sentpkt=9 rcvdpkt=7 appcat="unscanned" utmaction="allow" countssl=1 utmref=65470-0
SSL UTM log 1: date=2020-02-06 time=15:46:08 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581032768540281919 tz="-0800" action="exempt" policyid=1 sessionid=107685 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57116 dstip=52.52.208.2 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=1 catdesc="Drug Abuse" hostname="www.fortinet.com" msg="SSL connection is exempted based on category rating." 1: date=2020-02-07 time=10:39:19 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581100759642872145 tz="-0800" action="exempt" policyid=1 sessionid=139840 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=42638 dstip=74.125.195.109 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=23 catdesc="Web-based Email" hostname="smtp.gmail.com" msg="SSL connection is exempted based on category rating."
To log unsupported SSL negotiation:

config firewall ssl-ssh-profile

edit "deep-inspection-clone"

set ssl-negotiation-log enable

next

end

The logid and msg fields are the same in the HTTPS and IMAPS version of the traffic and ssl utm logs:

Log type HTTPS IMAPS
Traffic log 1: date=2020-02-07 time=11:10:59 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102659640002285 tz="-0800" srcip=10.1.100.66 srcport=33666 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8080 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141224 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8080" trandisp="snat" transip=172.16.200.7 transport=33666 duration=1 sentbyte=216 rcvdbyte=216 sentpkt=4 rcvdpkt=4 appcat="unscanned" wanin=0 wanout=0 lanin=82 lanout=82 utmaction="block" countssl=1 utmref=65464-0 16: date=2020-02-07 time=11:06:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102415810001699 tz="-0800" srcip=10.1.100.66 srcport=58162 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8143 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141051 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8143" trandisp="snat" transip=172.16.200.7 transport=58162 duration=5 sentbyte=216 rcvdbyte=164 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="block" countssl=1 utmref=65467-0
SSL UTM log 1: date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked." 1: date=2020-02-07 time=11:06:50 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102410702684472 tz="-0800" action="blocked" policyid=1 sessionid=141051 service="IMAPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=58162 dstip=172.16.200.99 dstport=8143 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."
Previous
Next