Add IOC detection for local out traffic
Indicator of compromise (IOC) detection for local out traffic helps detect any FortiGate locally-generated traffic that is destined for a known compromised location. The FortiGate will generate an event log to warn administrators of an IOC detection. This feature currently only supports IPv4 traffic.
To log IOC detection in local out traffic:
config log setting set local-out {enable | disable} set local-out-ioc-detection {enable | disable} end
These settings are both enabled by default. IOC detection is a VDOM-specific feature, so logging must be enabled on each VDOM. |
Sample event log:
In the GUI, go to Log & Report > System Events, click the General System Events card, and click the Details tab.
1: date=2021-12-20 time=16:43:54 eventtime=1640047434839814226 tz="-0800" logid="0100020214" type="event" subtype="system" level="warning" vd="root" logdesc="Locally generated traffic goes to IoC location" srcip=172.16.200.2 srcport=18047 dstip=223.205.1.54 dstport=514 session_id=23563 proto=6
Sample traffic log:
In the GUI, go to Log & Report > Local Traffic.
1: date=2021-12-20 time=16:45:18 eventtime=1640047518959313316 tz="-0800" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=172.16.200.2 srcport=18116 srcintf="unknown-0" srcintfrole="undefined" dstip=223.205.1.54 dstport=514 dstintf="port2" dstintfrole="undefined" srccountry="Reserved" dstcountry="Thailand" sessionid=23632 proto=6 action="timeout" policyid=0 service="tcp/514" trandisp="noop" app="tcp/514" duration=17 sentbyte=240 rcvdbyte=0 sentpkt=4 rcvdpkt=0 appcat="unscanned" dsthwvendor="Fortinet" masterdstmac="e8:1c:ba:c2:86:63" dstmac="e8:1c:ba:c2:86:63" dstserver=0