Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

More Links

FortiOS Log Message Reference

Administration Guide

Download PDF
Copy Link

ZTNA logging enhancements

ZTNA logs are under UTM logs as the ZTNA subtype, and appear under forward traffic log when traffic is allowed or denied by a policy.

There are six events that generate UTM logs with the ZTNA subtype:

  1. Received an empty client certificate

  2. Received a client certificate that fails to validate

  3. API gateway cannot be matched

  4. None of the real servers can be reached

  5. ZTNA rule (proxy policy) cannot be matched

  6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the ZTNA rule/proxy policy.

To enable logging all traffic in a ZTNA rule in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and edit a rule.

  2. Set Log Allowed Traffic to All Sessions.

  3. Click OK.

To enable logging all traffic in a proxy policy in the CLI:
config firewall proxy- policy
    edit <policy number>
        ...
        set logtraffic all
    next
end
To control the logs if there is no proxy-policy matched for the sessions that hit the access proxy:
config firewall access-proxy
    edit <proxy>
        set log-blocked-traffic enable
    next
end

Log samples

A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.

  • Access proxy server: zs2

  • Access proxy VIP: zv2

  • Access proxy VIP external IP address: 172.18.62.112

  • Mapped real server IP address: 172.18.60.65

UTM and traffic log samples for each of the six event types:
  1. Received an empty client certificate:

    When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallowed and blocked.

    Traffic log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate" utmref=65483-0
    

    UTM log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2"
  2. Received a client certificate that fails to validate:

    When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but the certificate fails validation.

    Traffic log:

    2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed" utmref=65491-0

    UTM log:

    1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
  3. API gateway cannot be matched:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.

    Traffic log:

    1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0     
    

    UTM log:

    2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  4. None of the real servers can be reached:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot be reached.

    Traffic log:

    1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65489-0
    

    UTM log:

    2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  5. ZTNA rule (proxy policy) cannot be matched:

    When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint.

    Traffic log:

    1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
    

    UTM log:

    2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2" accessproxy="zs2"
  6. HTTPS SNI virtual host does not match the HTTP host header:

    Traffic log:

    1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65486-0
    

    UTM log:

    2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"

Additionally, SSH Proxy can generate logs during host key validation.

  • Host Key untrusted block:

    1: date=2021-09-17 time=10:17:26 eventtime=1631899046292010350 tz="-0700" logid="1602061012" type="utm" subtype="ssh" eventtype="ssh-hostkey" level="warning" vd="root" policyid=1 sessionid=166324 srcip=10.1.100.119 srcport=55476 dstip=172.18.62.25 dstport=22 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 action="blocked" hostkeystatus="untrusted" fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"

More Links

ZTNA logging enhancements

ZTNA logs are under UTM logs as the ZTNA subtype, and appear under forward traffic log when traffic is allowed or denied by a policy.

There are six events that generate UTM logs with the ZTNA subtype:

  1. Received an empty client certificate

  2. Received a client certificate that fails to validate

  3. API gateway cannot be matched

  4. None of the real servers can be reached

  5. ZTNA rule (proxy policy) cannot be matched

  6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the ZTNA rule/proxy policy.

To enable logging all traffic in a ZTNA rule in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and edit a rule.

  2. Set Log Allowed Traffic to All Sessions.

  3. Click OK.

To enable logging all traffic in a proxy policy in the CLI:
config firewall proxy- policy
    edit <policy number>
        ...
        set logtraffic all
    next
end
To control the logs if there is no proxy-policy matched for the sessions that hit the access proxy:
config firewall access-proxy
    edit <proxy>
        set log-blocked-traffic enable
    next
end

Log samples

A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.

  • Access proxy server: zs2

  • Access proxy VIP: zv2

  • Access proxy VIP external IP address: 172.18.62.112

  • Mapped real server IP address: 172.18.60.65

UTM and traffic log samples for each of the six event types:
  1. Received an empty client certificate:

    When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallowed and blocked.

    Traffic log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate" utmref=65483-0
    

    UTM log:

    1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2"
  2. Received a client certificate that fails to validate:

    When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but the certificate fails validation.

    Traffic log:

    2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed" utmref=65491-0

    UTM log:

    1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
  3. API gateway cannot be matched:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.

    Traffic log:

    1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0     
    

    UTM log:

    2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  4. None of the real servers can be reached:

    When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot be reached.

    Traffic log:

    1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65489-0
    

    UTM log:

    2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
  5. ZTNA rule (proxy policy) cannot be matched:

    When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint.

    Traffic log:

    1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
    

    UTM log:

    2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2" accessproxy="zs2"
  6. HTTPS SNI virtual host does not match the HTTP host header:

    Traffic log:

    1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65486-0
    

    UTM log:

    2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"

Additionally, SSH Proxy can generate logs during host key validation.

  • Host Key untrusted block:

    1: date=2021-09-17 time=10:17:26 eventtime=1631899046292010350 tz="-0700" logid="1602061012" type="utm" subtype="ssh" eventtype="ssh-hostkey" level="warning" vd="root" policyid=1 sessionid=166324 srcip=10.1.100.119 srcport=55476 dstip=172.18.62.25 dstport=22 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 action="blocked" hostkeystatus="untrusted" fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"