Fortinet black logo

Administration Guide

ZTNA logging enhancements

ZTNA logging enhancements

The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA related traffic.

There are six events that generate logs in the subtype:

  1. Received an empty client certificate

  2. Received a client certificate that fails to validate

  3. API gateway cannot be matched

  4. None of the real servers can be reached

  5. ZTNA rule (proxy policy) cannot be matched

  6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the policy.

To enable logging all traffic in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and edit a policy.

  2. Set Log Allowed Traffic to All Sessions.

  3. Click OK.

To enable logging all traffic in a policy in the CLI:
config firewall policy
    edit <policy number>
        ...
        set logtraffic all
    next
end

Log samples

A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.

  • Access proxy server: zs2

  • Access proxy VIP: zv2

  • Access proxy VIP external IP address: 172.18.62.112

  • Mapped real server IP address: 172.18.60.65

UTM and traffic log samples for each of the six event types:
  1. Received an empty client certificate:

    When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallowed and blocked.

    Traffic log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate" utmref=65483-0
    

    UTM log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2"
  2. Received a client certificate that fails to validate:

    When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but the certificate fails validation.

    Traffic log:

    2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed" utmref=65491-0

    UTM log:

    1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
  3. API gateway cannot be matched:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.

    Traffic log:

    1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0     
    

    UTM log:

    2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  4. None of the real servers can be reached:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot be reached.

    Traffic log:

    1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65489-0
    

    UTM log:

    2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  5. ZTNA rule (proxy policy) cannot be matched:

    When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint.

    Traffic log:

    1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
    

    UTM log:

    2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2" accessproxy="zs2"
  6. HTTPS SNI virtual host does not match the HTTP host header:

    Traffic log:

    1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65486-0
    

    UTM log:

    2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"

ZTNA logging enhancements

The ZTNA log subtype is added to UTM logs and a traffic log ID is added for ZTNA related traffic.

There are six events that generate logs in the subtype:

  1. Received an empty client certificate

  2. Received a client certificate that fails to validate

  3. API gateway cannot be matched

  4. None of the real servers can be reached

  5. ZTNA rule (proxy policy) cannot be matched

  6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the policy.

To enable logging all traffic in a policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and edit a policy.

  2. Set Log Allowed Traffic to All Sessions.

  3. Click OK.

To enable logging all traffic in a policy in the CLI:
config firewall policy
    edit <policy number>
        ...
        set logtraffic all
    next
end

Log samples

A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.

  • Access proxy server: zs2

  • Access proxy VIP: zv2

  • Access proxy VIP external IP address: 172.18.62.112

  • Mapped real server IP address: 172.18.60.65

UTM and traffic log samples for each of the six event types:
  1. Received an empty client certificate:

    When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallowed and blocked.

    Traffic log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate" utmref=65483-0
    

    UTM log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2"
  2. Received a client certificate that fails to validate:

    When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but the certificate fails validation.

    Traffic log:

    2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed" utmref=65491-0

    UTM log:

    1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
  3. API gateway cannot be matched:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.

    Traffic log:

    1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0     
    

    UTM log:

    2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  4. None of the real servers can be reached:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot be reached.

    Traffic log:

    1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65489-0
    

    UTM log:

    2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  5. ZTNA rule (proxy policy) cannot be matched:

    When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint.

    Traffic log:

    1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
    

    UTM log:

    2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2" accessproxy="zs2"
  6. HTTPS SNI virtual host does not match the HTTP host header:

    Traffic log:

    1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65486-0
    

    UTM log:

    2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"