Fortinet black logo

New Features

Logging IP address threat feeds in sniffer mode

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:988559
Download PDF

Logging IP address threat feeds in sniffer mode

In sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

config firewall sniffer
    edit <id>
        set logtraffic all
        set interface <interface>
        set ip-threatfeed-status {enable | disable}
        set ip-threatfeed <threat feed> ...
    next
end

ip-threatfeed-status {enable | disable}

Enable/disable the IP threat feed.

ip-threatfeed <threat feed> ...

The name of an existing IP threat feed.

When the IP matches multiple threat feeds, the sniffer log will use the last external connector in the configuration, which is different from the normal firewall policy log that uses the first external connector in the configuration.

When the threat feed is enabled and configured in a sniffer policy, as long as the traffic IP matches threat feed, there will be a traffic log for it (even if logtraffic is set to all or utm).

To configure a sniffer policy to log the threat feed:
  1. Enable inserting address UUIDs in traffic logs:
    config system global
        set log-uuid-address enable
    end
  2. Configure the sniffer policy:
    config firewall sniffer
        edit 1
            set logtraffic all 
            set ipv6 enable
            set interface "port3"
            set ip-threatfeed-status enable
            set ip-threatfeed "g-source"
        next
    end
Sample log
1: date=2021-01-26 time=15:51:37 eventtime=1611705097880421908 tz="-0800" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vd1" srcip=10.1.100.12 srcport=34604 srcintf="port3" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port3" dstintfrole="undefined" srcthreatfeed="g-source" srccountry="Reserved" dstcountry="Reserved" sessionid=30384 proto=6 action="accept" policyid=1 policytype="sniffer" service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"

Logging IP address threat feeds in sniffer mode

In sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

config firewall sniffer
    edit <id>
        set logtraffic all
        set interface <interface>
        set ip-threatfeed-status {enable | disable}
        set ip-threatfeed <threat feed> ...
    next
end

ip-threatfeed-status {enable | disable}

Enable/disable the IP threat feed.

ip-threatfeed <threat feed> ...

The name of an existing IP threat feed.

When the IP matches multiple threat feeds, the sniffer log will use the last external connector in the configuration, which is different from the normal firewall policy log that uses the first external connector in the configuration.

When the threat feed is enabled and configured in a sniffer policy, as long as the traffic IP matches threat feed, there will be a traffic log for it (even if logtraffic is set to all or utm).

To configure a sniffer policy to log the threat feed:
  1. Enable inserting address UUIDs in traffic logs:
    config system global
        set log-uuid-address enable
    end
  2. Configure the sniffer policy:
    config firewall sniffer
        edit 1
            set logtraffic all 
            set ipv6 enable
            set interface "port3"
            set ip-threatfeed-status enable
            set ip-threatfeed "g-source"
        next
    end
Sample log
1: date=2021-01-26 time=15:51:37 eventtime=1611705097880421908 tz="-0800" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vd1" srcip=10.1.100.12 srcport=34604 srcintf="port3" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port3" dstintfrole="undefined" srcthreatfeed="g-source" srccountry="Reserved" dstcountry="Reserved" sessionid=30384 proto=6 action="accept" policyid=1 policytype="sniffer" service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"