WAD and Proxyd SSL logging improvement
During deep inspection and certificate inspection, various logs generated from certificate issues now use a consistent log format. Additional details have also been added to these logs. A new option, ssl-negotiation-log
, captures results of unsupported SSL negotiations.
SSL/SSH protocol options:
A new option, set ssl-negotiation-log {enable | disable}
, was added to the option set.
config firewall ssl-ssh-profile
edit "deep-inspection"
set ssl-anomalies-log {enable | disable}
set ssl-exemptions-log {enable | disable}
set ssl-negotiation-log {enable | disable}
next
end
To log invalid certificates:
config firewall ssl-ssh-profile
edit "deep-inspection"
set ssl-anomalies-log enable
next
end
FortiGate will generate the ssl anomalies log when traffic triggers ssl certificate anomalies.
In the HTTPS and SMTPS version of the traffic and ssl utm logs:
- The
logid
and the server certificate CN are the same. - The
msg
field in the SSL UTM logs are similar.
Log type | HTTP | SMTPS |
---|---|---|
Traffic log | 1: date=2020-02-06 time=10:54:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015276280004271 tz="-0800" srcip=10.1.100.66 srcport=45068 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=95917 proto=6 action="server-rst" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=45068 duration=5 sentbyte=931 rcvdbyte=6818 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=0 wanout=0 lanin=696 lanout=696 utmaction="block" countssl=1 crscore=5 craction=262144 crlevel="low" utmref=65503-98
|
6: date=2020-02-06 time=11:02:57 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581015777090002933 tz="-0800" srcip=10.1.100.66 srcport=57522 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=96269 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=57522 duration=5 sentbyte=597 rcvdbyte=216 sentpkt=6 rcvdpkt=4 appcat="unscanned" utmaction="block" countssl=1 utmref=65500-0
|
SSL UTM log | 1: date=2020-02-06 time=10:54:31 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015271212451397 tz="-0800" action="blocked" policyid=1 sessionid=95917 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=45068 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired." hostname="invalid.fortinet.com"
|
1: date=2020-02-06 time=11:02:52 logid="1700062303" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1581015771995913532 tz="-0800" action="blocked" policyid=1 sessionid=96269 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57522 dstip=172.16.200.99 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="certificate-anomaly" msg="SSL connection is blocked, certificate-status: expired untrusted validation_failure." hostname="invalid.fortinet.com"
|
To log SSL Exemptions based on FortiGuard categories:
config firewall ssl-ssh-profile
edit "deep-inspection-clone"
set ssl-exemptions-log enable
next
end
In the HTTPS and SMTPS version of the traffic and ssl utm logs:
- The
logid
and the msg are the same. - A server certificate CN is added to the log.
FortiGate records the wrong category ID and description in the HTTPS version of the ssl utm log. This is a known issue. |
Log type | HTTPS | SMTPS |
---|---|---|
Traffic log | 8: date=2020-02-06 time=15:46:10 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581032769970002679 tz="-0800" srcip=10.1.100.66 srcport=57116 srcintf="port2" srcintfrole="undefined" dstip=52.52.208.2 dstport=443 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=107685 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="HTTPS" trandisp="snat" transip=172.16.200.7 transport=57116 duration=1 sentbyte=1925 rcvdbyte=7736 sentpkt=13 rcvdpkt=13 appcat="unscanned" wanin=0 wanout=0 lanin=1241 lanout=1241 utmaction="allow" countssl=1 utmref=65476-42
|
1: date=2020-02-07 time=10:39:20 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581100760770003429 tz="-0800" srcip=10.1.100.66 srcport=42638 srcintf="port2" srcintfrole="undefined" dstip=74.125.195.109 dstport=465 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=139840 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="SMTPS" trandisp="snat" transip=172.16.200.7 transport=42638 duration=1 sentbyte=896 rcvdbyte=3392 sentpkt=9 rcvdpkt=7 appcat="unscanned" utmaction="allow" countssl=1 utmref=65470-0
|
SSL UTM log | 1: date=2020-02-06 time=15:46:08 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581032768540281919 tz="-0800" action="exempt" policyid=1 sessionid=107685 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=57116 dstip=52.52.208.2 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=1 catdesc="Drug Abuse" hostname="www.fortinet.com" msg="SSL connection is exempted based on category rating."
|
1: date=2020-02-07 time=10:39:19 logid="1701062005" type="utm" subtype="ssl" eventtype="ssl-exempt" level="notice" vd="vdom1" eventtime=1581100759642872145 tz="-0800" action="exempt" policyid=1 sessionid=139840 service="SMTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=42638 dstip=74.125.195.109 dstport=465 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="fortiguard-category" cat=23 catdesc="Web-based Email" hostname="smtp.gmail.com" msg="SSL connection is exempted based on category rating."
|
To log unsupported SSL negotiation:
config firewall ssl-ssh-profile
edit "deep-inspection-clone"
set ssl-negotiation-log enable
next
end
The logid
and msg
fields are the same in the HTTPS and IMAPS version of the traffic and ssl utm logs:
Log type | HTTPS | IMAPS |
---|---|---|
Traffic log | 1: date=2020-02-07 time=11:10:59 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102659640002285 tz="-0800" srcip=10.1.100.66 srcport=33666 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8080 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141224 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8080" trandisp="snat" transip=172.16.200.7 transport=33666 duration=1 sentbyte=216 rcvdbyte=216 sentpkt=4 rcvdpkt=4 appcat="unscanned" wanin=0 wanout=0 lanin=82 lanout=82 utmaction="block" countssl=1 utmref=65464-0
|
16: date=2020-02-07 time=11:06:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1581102415810001699 tz="-0800" srcip=10.1.100.66 srcport=58162 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.99 dstport=8143 dstintf="port3" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=141051 proto=6 action="close" policyid=1 policytype="policy" poluuid="81d655f2-479f-51ea-d1d1-5fd661144c81" service="tcp/8143" trandisp="snat" transip=172.16.200.7 transport=58162 duration=5 sentbyte=216 rcvdbyte=164 sentpkt=4 rcvdpkt=3 appcat="unscanned" utmaction="block" countssl=1 utmref=65467-0
|
SSL UTM log | 1: date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."
|
1: date=2020-02-07 time=11:06:50 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102410702684472 tz="-0800" action="blocked" policyid=1 sessionid=141051 service="IMAPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=58162 dstip=172.16.200.99 dstport=8143 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."
|