Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Generate unique user name for anonymized logs 7.0.2

With the anonymization-hash option, user fields in logs can be anonymized by generating a hash based on the user name and salt value. The hash for the same user will generate the same hash value, allowing the anonymized user to be correlated between logs.

config log setting
    set user-anonymize enable
    set anonymization-hash <salt string>
end

Example

In this example, user names are encrypted in traffic and event logs using the anonymization-hash option.

To encrypt the user name for logs in the GUI:
  1. Configure the hash anonymization in the CLI:
    config log setting
        set user-anonymize enable
        set anonymization-hash "random"
    end
  2. Configure a firewall policy with a user as a source:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select a user.
    3. In the Security Profiles section, enable AntiVirus and select a profile.
    4. Configure the other settings as needed.
    5. Click OK.
  3. Verify the forward traffic log:
    1. Go to Log & Report > Forward Traffic.
    2. Select an entry and double-click to view the log details.

      The user name has a hashed value of e8557d12f6551b2d.

  4. Verify the antivirus traffic log:
    1. Go to Log & Report > AntiVirus.
    2. Select an entry and double-click to view the log details.

      The user name has the same hashed value. Hovering over the user name displays a No user information tooltip.

  5. Verify the event log:
    1. Go to Log & Report > Events > System Events.
    2. Select an entry and double-click to view the log details.

      The administrative user has a hashed value of 6a4d668735f5517a.

To encrypt the user name for logs in the CLI:
  1. Configure the hash anonymization:
    config log setting
        set user-anonymize enable
        set anonymization-hash "random"
    end
  2. Configure a firewall policy with a user as a source:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set nat enable
            set users "bob"
        next
    end
  3. Verify the forward traffic log. The user name has a hashed value of e8557d12f6551b2d:
    date=2021-09-09 time=15:24:52 eventtime=1631226292981803646 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.72 srcport=33250 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=383 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="12f6f924-c2fb-51eb-6e06-3b997d55d5f4" policyname="WAN_out" user="e8557d12f6551b2d" dstuser="e8557d12f6551b2d" service="HTTP" trandisp="snat" transip=172.16.200.7 transport=33250 duration=1 sentbyte=469 rcvdbyte=6331 sentpkt=6 rcvdpkt=8 appcat="unscanned" wanin=369 wanout=149 lanin=149 lanout=149 utmaction="block" countav=1 crscore=50 craction=2 srchwvendor="VMware" osname="Linux" mastersrcmac="**:**:**:**:**:**" srcmac="**:**:**:**:**:**" srcserver=0 dsthwvendor="VMware" dstosname="Linux" masterdstmac="**:**:**:**:**:**" dstmac="**:**:**:**:**:**" dstserver=0 utmref=0-28
  4. Verify the antivirus traffic log. The user name has the same hashed value:
    date=2021-09-09 time=15:24:51 eventtime=1631226291945007723 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=383 srcip=10.1.100.72 dstip=172.16.200.75 srcport=33250 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="e8557d12f6551b2d" dstuser="e8557d12f6551b2d" agent="Wget/1.17.1" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
  5. Verify the event log. The administrative user has a hashed value of 6a4d668735f5517a:
    date=2021-09-09 time=09:59:09 eventtime=1631206750109938510 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" logdesc="Admin login successful" sn="**********" user="6a4d668735f5517a" ui="https(10.6.30.254)" method="https" srcip=10.6.30.254 dstip=10.6.30.107 action="login" status="success" reason="none" profile="super_admin" msg="Administrator 6a4d668735f5517a logged in successfully from https(10.6.30.254)"

If user-anonymize is enabled in the log settings and anonymization-hash is left blank, the user name is displayed as anonymous in the logs.

Sample traffic log:
date=2021-09-09 time=11:27:44 eventtime=1631212064444723180 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.72 srcport=33246 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1337 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="12f6f924-c2fb-51eb-6e06-3b997d55d5f4" policyname="WAN_out" user="anonymous" dstuser="anonymous" service="HTTP" trandisp="snat" transip=172.16.200.7 transport=33246 duration=1 sentbyte=469 rcvdbyte=6331 sentpkt=6 rcvdpkt=8 appcat="unscanned" wanin=369 wanout=149 lanin=149 lanout=149 utmaction="block" countav=1 crscore=50 craction=2 srchwvendor="VMware" osname="Linux" mastersrcmac="**:**:**:**:**:**" srcmac="**:**:**:**:**:**" srcserver=0 dsthwvendor="VMware" dstosname="Linux" masterdstmac="**:**:**:**:**:**" dstmac="**:**:**:**:**:**" dstserver=0 utmref=0-14
Sample UTM log:
date=2021-09-09 time=11:27:43 eventtime=1631212063400129220 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=1337 srcip=10.1.100.72 dstip=172.16.200.75 srcport=33246 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="anonymous" dstuser="anonymous" agent="Wget/1.17.1" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
Sample event log:
date=2021-09-09 time=11:27:26 eventtime=1631212046861637260 tz="-0700" logid="0100032102" type="event" subtype="system" level="alert" vd="vdom1" logdesc="Configuration changed" user="anonymous" ui="jsconsole" msg="Configuration is changed in the anonymous session"

Generate unique user name for anonymized logs 7.0.2

With the anonymization-hash option, user fields in logs can be anonymized by generating a hash based on the user name and salt value. The hash for the same user will generate the same hash value, allowing the anonymized user to be correlated between logs.

config log setting
    set user-anonymize enable
    set anonymization-hash <salt string>
end

Example

In this example, user names are encrypted in traffic and event logs using the anonymization-hash option.

To encrypt the user name for logs in the GUI:
  1. Configure the hash anonymization in the CLI:
    config log setting
        set user-anonymize enable
        set anonymization-hash "random"
    end
  2. Configure a firewall policy with a user as a source:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select a user.
    3. In the Security Profiles section, enable AntiVirus and select a profile.
    4. Configure the other settings as needed.
    5. Click OK.
  3. Verify the forward traffic log:
    1. Go to Log & Report > Forward Traffic.
    2. Select an entry and double-click to view the log details.

      The user name has a hashed value of e8557d12f6551b2d.

  4. Verify the antivirus traffic log:
    1. Go to Log & Report > AntiVirus.
    2. Select an entry and double-click to view the log details.

      The user name has the same hashed value. Hovering over the user name displays a No user information tooltip.

  5. Verify the event log:
    1. Go to Log & Report > Events > System Events.
    2. Select an entry and double-click to view the log details.

      The administrative user has a hashed value of 6a4d668735f5517a.

To encrypt the user name for logs in the CLI:
  1. Configure the hash anonymization:
    config log setting
        set user-anonymize enable
        set anonymization-hash "random"
    end
  2. Configure a firewall policy with a user as a source:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set nat enable
            set users "bob"
        next
    end
  3. Verify the forward traffic log. The user name has a hashed value of e8557d12f6551b2d:
    date=2021-09-09 time=15:24:52 eventtime=1631226292981803646 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.72 srcport=33250 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=383 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="12f6f924-c2fb-51eb-6e06-3b997d55d5f4" policyname="WAN_out" user="e8557d12f6551b2d" dstuser="e8557d12f6551b2d" service="HTTP" trandisp="snat" transip=172.16.200.7 transport=33250 duration=1 sentbyte=469 rcvdbyte=6331 sentpkt=6 rcvdpkt=8 appcat="unscanned" wanin=369 wanout=149 lanin=149 lanout=149 utmaction="block" countav=1 crscore=50 craction=2 srchwvendor="VMware" osname="Linux" mastersrcmac="**:**:**:**:**:**" srcmac="**:**:**:**:**:**" srcserver=0 dsthwvendor="VMware" dstosname="Linux" masterdstmac="**:**:**:**:**:**" dstmac="**:**:**:**:**:**" dstserver=0 utmref=0-28
  4. Verify the antivirus traffic log. The user name has the same hashed value:
    date=2021-09-09 time=15:24:51 eventtime=1631226291945007723 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=383 srcip=10.1.100.72 dstip=172.16.200.75 srcport=33250 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="e8557d12f6551b2d" dstuser="e8557d12f6551b2d" agent="Wget/1.17.1" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
  5. Verify the event log. The administrative user has a hashed value of 6a4d668735f5517a:
    date=2021-09-09 time=09:59:09 eventtime=1631206750109938510 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" logdesc="Admin login successful" sn="**********" user="6a4d668735f5517a" ui="https(10.6.30.254)" method="https" srcip=10.6.30.254 dstip=10.6.30.107 action="login" status="success" reason="none" profile="super_admin" msg="Administrator 6a4d668735f5517a logged in successfully from https(10.6.30.254)"

If user-anonymize is enabled in the log settings and anonymization-hash is left blank, the user name is displayed as anonymous in the logs.

Sample traffic log:
date=2021-09-09 time=11:27:44 eventtime=1631212064444723180 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" srcip=10.1.100.72 srcport=33246 srcintf="dmz" srcintfrole="undefined" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=1337 proto=6 action="client-rst" policyid=1 policytype="policy" poluuid="12f6f924-c2fb-51eb-6e06-3b997d55d5f4" policyname="WAN_out" user="anonymous" dstuser="anonymous" service="HTTP" trandisp="snat" transip=172.16.200.7 transport=33246 duration=1 sentbyte=469 rcvdbyte=6331 sentpkt=6 rcvdpkt=8 appcat="unscanned" wanin=369 wanout=149 lanin=149 lanout=149 utmaction="block" countav=1 crscore=50 craction=2 srchwvendor="VMware" osname="Linux" mastersrcmac="**:**:**:**:**:**" srcmac="**:**:**:**:**:**" srcserver=0 dsthwvendor="VMware" dstosname="Linux" masterdstmac="**:**:**:**:**:**" dstmac="**:**:**:**:**:**" dstserver=0 utmref=0-14
Sample UTM log:
date=2021-09-09 time=11:27:43 eventtime=1631212063400129220 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=1337 srcip=10.1.100.72 dstip=172.16.200.75 srcport=33246 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="anonymous" dstuser="anonymous" agent="Wget/1.17.1" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
Sample event log:
date=2021-09-09 time=11:27:26 eventtime=1631212046861637260 tz="-0700" logid="0100032102" type="event" subtype="system" level="alert" vd="vdom1" logdesc="Configuration changed" user="anonymous" ui="jsconsole" msg="Configuration is changed in the anonymous session"