ZTNA logging enhancements
ZTNA logs are under UTM logs as the ZTNA subtype, and appear under forward traffic log when traffic is allowed or denied by a policy.
There are six events that generate UTM logs with the ZTNA subtype:
-
Received an empty client certificate
-
Received a client certificate that fails to validate
-
API gateway cannot be matched
-
None of the real servers can be reached
-
ZTNA rule (proxy policy) cannot be matched
-
HTTPS SNI virtual host does not match the HTTP host header
ZTNA related traffic will generate logs when logging all allowed traffic is enabled in the ZTNA rule/proxy policy.
To enable logging all traffic in a ZTNA rule in the GUI:
-
Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and edit a rule.
-
Set Log Allowed Traffic to All Sessions.
-
Click OK.
To enable logging all traffic in a proxy policy in the CLI:
config firewall proxy- policy edit <policy number> ... set logtraffic all next end
To control the logs if there is no proxy-policy matched for the sessions that hit the access proxy:
config firewall access-proxy edit <proxy> set log-blocked-traffic enable next end
Log samples
A client PC (10.1.100.206) is connected to port2 on the FortiGate. The FortiGate is also connected to a FortiClient EMS, and a real server that is defined in the ZTNA server API gateway.
-
Access proxy server: zs2
-
Access proxy VIP: zv2
-
Access proxy VIP external IP address: 172.18.62.112
-
Mapped real server IP address: 172.18.60.65
UTM and traffic log samples for each of the six event types:
-
Received an empty client certificate:
When connecting to the ZTNA access proxy, the client did not send a client certificate to the FortiGate for verification. The empty certificate is disallowed and blocked.
Traffic log:
1: date=2021-06-09 time=16:36:54 eventtime=1623281814371412983 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56494 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=21453 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: empty client certificate" utmref=65483-0
UTM log:
1: date=2021-06-09 time=16:36:54 eventtime=1623281814371409480 tz="-0700" logid="2100060500" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client sends an empty certificate" policyid=5 sessionid=21453 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56494 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2"
-
Received a client certificate that fails to validate:
When connecting to the ZTNA access proxy, the client sends a client certificate to the FortiGate for verification, but the certificate fails validation.
Traffic log:
2: date=2021-06-09 time=15:06:47 eventtime=1623276407372012365 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55910 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=16810 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=1 msg="Denied: client certificate authentication failed" utmref=65491-0
UTM log:
1: date=2021-06-09 time=15:06:47 eventtime=1623276407372009447 tz="-0700" logid="2100060501" type="utm" subtype="ztna" eventtype="ztna-clt-cert" level="warning" vd="root" msg="Client certificate has security problem" policyid=5 sessionid=16810 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55910 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="cert auth failed, cert-cn:qa.wangd.com, cert-issuer:qa.wangd.com, cert-status:failure "
-
API gateway cannot be matched:
When connecting to the ZTNA access proxy, the client tries to connect to an API gateway that does not match any virtual host.
Traffic log:
1: date=2021-06-09 time=15:15:39 eventtime=1623276939601851410 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55974 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17152 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65490-0
UTM log:
2: date=2021-06-09 time=15:15:39 eventtime=1623276939601849940 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17152 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55974 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
-
None of the real servers can be reached:
When connecting to the ZTNA access proxy, the client tries to connect to an API gateway but the real server cannot be reached.
Traffic log:
1: date=2021-06-09 time=15:17:49 eventtime=1623277069371491908 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=55988 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17233 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65489-0
UTM log:
2: date=2021-06-09 time=15:17:49 eventtime=1623277069371490614 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17233 srcip=10.1.100.206 dstip=172.18.62.112 srcport=55988 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://qbcd.test.com/test123456) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
-
ZTNA rule (proxy policy) cannot be matched:
When connecting to the ZTNA access proxy, a ZTNA rule (proxy policy ) cannot be matched. For example, no ZTNA rule is matched for the ZTNA tag assigned to the endpoint.
Traffic log:
1: date=2021-06-09 time=15:20:20 eventtime=1623277220133106783 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56010 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17456 proto=6 action="deny" policyid=0 policytype="proxy-policy" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match a proxy-policy" utmref=65488-26
UTM log:
2: date=2021-06-09 time=15:20:20 eventtime=1623277220133105204 tz="-0700" logid="2101060510" type="utm" subtype="ztna" eventtype="ztna-policy-match" level="warning" vd="root" msg="Connection is blocked due to unable to match a proxy-policy" policyid=0 sessionid=17456 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56010 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" gatewayid=1 vip="zv2" accessproxy="zs2"
-
HTTPS SNI virtual host does not match the HTTP host header:
Traffic log:
1: date=2021-06-09 time=15:24:25 eventtime=1623277465275004842 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=56040 srcintf="port2" srcintfrole="undefined" dstip=172.18.62.112 dstport=443 dstintf="root" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=17614 proto=6 action="deny" policyid=5 policytype="policy" poluuid="b4d4c466-8b64-51eb-2292-5defbb0e34e5" policyname="ztna" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" utmaction="block" countztna=2 msg="Denied: failed to match an API-gateway" utmref=65486-0
UTM log:
2: date=2021-06-09 time=15:24:25 eventtime=1623277465275003194 tz="-0700" logid="2102060522" type="utm" subtype="ztna" eventtype="ztna-error" level="warning" vd="root" msg="Unable to match an API-gateway" policyid=5 sessionid=17614 srcip=10.1.100.206 dstip=172.18.62.112 srcport=56040 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" proto=6 action="blocked" service="HTTPS" vip="zv2" accessproxy="zs2" desc="HTTP url (https://aq4.test.com/) failed to match an API-gateway with vhost(name/hostname:_def_virtual_host_/_def_virtual_host_)"
Additionally, SSH Proxy can generate logs during host key validation.
-
Host Key untrusted block:
1: date=2021-09-17 time=10:17:26 eventtime=1631899046292010350 tz="-0700" logid="1602061012" type="utm" subtype="ssh" eventtype="ssh-hostkey" level="warning" vd="root" policyid=1 sessionid=166324 srcip=10.1.100.119 srcport=55476 dstip=172.18.62.25 dstport=22 srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" srcuuid="88a8d5b0-4f66-51eb-26a7-cfcffb04b300" proto=6 action="blocked" hostkeystatus="untrusted" fctuid="C7F3ACD19E174AADBB96B2DCF3B75D52" unauthuser="fosqa" unauthusersource="forticlient"