Fortinet black logo

New Features

Introduce learn mode in security policies in NGFW mode

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:898777
Download PDF

Introduce learn mode in security policies in NGFW mode

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic that passes through the source and destination interfaces. All traffic is allowed between the interfaces and logged. The learn mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and the Policy Analyzer Management Extension Application (MEA) that is available with FortiManager.

Note

When enabled on FortiManager, Policy Analyzer MEA works with security policies in learning mode to analyze logs sent from a managed FortiGate to FortiAnalyzer. Based on the analyzed traffic, FortiManager administrators can choose to automatically create a policy in FortiManager for the managed FortiGate. For more information about Policy Analyzer MEA, see the Policy Analyzer Administration Guide.

The following limitations apply when learn mode is enabled in a security policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a security policy with learning mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.
To enable learn mode in the GUI:
  1. Enable policy-based NGFW mode:

    1. Go to System > Settings.

    2. Set the NGFW Mode to Policy-based and click Apply.

  2. Go to Policy & Objects > Security Policy, and open a security policy for editing.

  3. Set the Policy Mode to Learn Mode.

  4. Select an Incoming Interface.

  5. Select an Outgoing Interface.

  6. (Optional) Type a comment in the Comments box.

  7. Toggle on Enable this policy.

  8. Click OK to save the security policy.

To enable learn mode in the CLI:
  1. Enable policy-based NGFW mode:

    config system settings
        set ngfw-mode policy-based
    end
    
  2. Enable learn mode in a security policy:

    config firewall security-policy
        edit <id>
            set learning-mode enable
        next
    end
To view learn mode fields in logs in the CLI:
  1. Filter and view fields in traffic logs:

    # execute log filter category 0 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:11 eventtime=1647883271150012188 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=43296 srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port17" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=33934 proto=6 policymode="learn" action="accept" policyid=99 policytype="security-policy" poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policyname="Security-policy-99" centralnatid=3 service="HTTP" trandisp="snat" transip=172.16.200.9 transport=43296 duration=1 sentbyte=412 rcvdbyte=529 sentpkt=6 rcvdpkt=4 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="allow" countweb=1 countav=1 countips=3 countapp=1 crscore=50 craction=2 srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:0c:29:b5:92:8d" srcmac="00:0c:29:b5:92:8d" srcserver=0 utmref=65534-0

  2. Filter and view fields in UTM logs:

    # execute log filter category 2 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101403283 tz="-0700" logid="0211008193" type="utm" subtype="virus" eventtype="infected" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" msg="File is infected." action="monitored" service="HTTP" sessionid=33934 srcip=10.1.100.41 dstip=172.16.200.55 srcport=43296 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="learn-av" agent="curl/7.35.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="Response-Content-Type=application/x-msdos-program"

  3. Filter and view fields in UTM-IPS logs:

    # execute log filter category 4 # execute log display 3 logs found. 3 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101485354 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="2/2" attackcontext="YW0NCg0KWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L1BBQ0tFVD4=" 2: date=2022-03-21 time=10:21:09 eventtime=1647883270101484791 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="1/2" attackcontext="PFBBVFRFUk5TPiBYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjtYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjwvUEFUVEVSTlM+CjxVUkk+IDwvVVJJPgo8SEVBREVSPiBIVFRQLzEuMSAyMDAgT0sNCkRhdGU6IE1vbiwgMjEgTWFyIDIwMjIgMTc6MjE6MTAgR01UDQpTZXJ2ZXI6IEFwYWNoZS8yLjQuMTggKFVidW50dSkNCkxhc3QtTW9kaWZpZWQ6IFRodSwgMDEgRGVjIDIwMTYgMDE6MjY6MzUgR01UDQpFVGFnOiAiNDQtNTQyOGViNjU4MDk3YSINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogNjgNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNCjwvSEVBREVSPgo8Qk9EWT4gWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L0JPRFk+CjxQQUNLRVQ+IEhUVFAvMS4xIDIwMCBPSw0KRGF0ZTogTW9uLCAyMSBNYXIgMjAyMiAxNzoyMToxMCBHTVQNClNlcnZlcjogQXBhY2hlLzIuNC4xOCAoVWJ1bnR1KQ0KTGFzdC1Nb2RpZmllZDogVGh1LCAwMSBEZWMgMjAxNiAwMToyNjozNSBHTVQNCkVUYWc6ICI0NC01NDI4ZWI2NTgwOTdhIg0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCkNvbnRlbnQtTGVuZ3RoOiA2OA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1zZG9zLXByb2dy" 3: date=2022-03-21 time=10:21:09 eventtime=1647883270101483279 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 hostname="172.16.200.55" url="/virus/eicar.com" agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 msg="file_transfer: Eicar.Virus.Test.File" attackcontextid="0/2" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program"

  4. Filter and view fields in UTM-webfilter logs:

    # execute log filter category 3 # execute log display 2 logs found. 2 logs returned. 2: date=2022-03-21 time=10:21:09 eventtime=1647883270100329681 tz="-0700" logid="0319013317" type="utm" subtype="webfilter" eventtype="urlmonitor" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" sessionid=33934 srcip=10.1.100.41 srcport=43296 srccountry="Reserved" srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port17" dstintfrole="wan" proto=6 httpmethod="GET" service="HTTP" hostname="172.16.200.55" agent="curl/7.35.0" profile="learn-webf" action="passthrough" reqtype="direct" url="http://172.16.200.55/virus/eicar.com" sentbyte=92 rcvdbyte=0 direction="outgoing" msg="URL has been visited" ratemethod="domain" cat=255 catdesc="Unknown"

Introduce learn mode in security policies in NGFW mode

In NGFW mode, administrators can configure a security policy in learn mode to monitor traffic that passes through the source and destination interfaces. All traffic is allowed between the interfaces and logged. The learn mode uses a special prefix in the policymode and profile fields in traffic and UTM logs for use by FortiAnalyzer and the Policy Analyzer Management Extension Application (MEA) that is available with FortiManager.

Note

When enabled on FortiManager, Policy Analyzer MEA works with security policies in learning mode to analyze logs sent from a managed FortiGate to FortiAnalyzer. Based on the analyzed traffic, FortiManager administrators can choose to automatically create a policy in FortiManager for the managed FortiGate. For more information about Policy Analyzer MEA, see the Policy Analyzer Administration Guide.

The following limitations apply when learn mode is enabled in a security policy:

  • Only interfaces with device-identification enable can be used as source interfaces in a security policy with learning mode enabled.
  • Incoming and outgoing interfaces do not support any.
  • Internet service is not supported.
  • NAT46 and NAT64 are not supported.
  • Users and groups are not supported.
  • Some negate options are not supported.
To enable learn mode in the GUI:
  1. Enable policy-based NGFW mode:

    1. Go to System > Settings.

    2. Set the NGFW Mode to Policy-based and click Apply.

  2. Go to Policy & Objects > Security Policy, and open a security policy for editing.

  3. Set the Policy Mode to Learn Mode.

  4. Select an Incoming Interface.

  5. Select an Outgoing Interface.

  6. (Optional) Type a comment in the Comments box.

  7. Toggle on Enable this policy.

  8. Click OK to save the security policy.

To enable learn mode in the CLI:
  1. Enable policy-based NGFW mode:

    config system settings
        set ngfw-mode policy-based
    end
    
  2. Enable learn mode in a security policy:

    config firewall security-policy
        edit <id>
            set learning-mode enable
        next
    end
To view learn mode fields in logs in the CLI:
  1. Filter and view fields in traffic logs:

    # execute log filter category 0 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:11 eventtime=1647883271150012188 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.41 srcport=43296 srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port17" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=33934 proto=6 policymode="learn" action="accept" policyid=99 policytype="security-policy" poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policyname="Security-policy-99" centralnatid=3 service="HTTP" trandisp="snat" transip=172.16.200.9 transport=43296 duration=1 sentbyte=412 rcvdbyte=529 sentpkt=6 rcvdpkt=4 appid=15893 app="HTTP.BROWSER" appcat="Web.Client" apprisk="medium" utmaction="allow" countweb=1 countav=1 countips=3 countapp=1 crscore=50 craction=2 srchwvendor="VMware" devtype="Computer" osname="Debian" mastersrcmac="00:0c:29:b5:92:8d" srcmac="00:0c:29:b5:92:8d" srcserver=0 utmref=65534-0

  2. Filter and view fields in UTM logs:

    # execute log filter category 2 # execute log display 1 logs found. 1 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101403283 tz="-0700" logid="0211008193" type="utm" subtype="virus" eventtype="infected" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" msg="File is infected." action="monitored" service="HTTP" sessionid=33934 srcip=10.1.100.41 dstip=172.16.200.55 srcport=43296 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="learn-av" agent="curl/7.35.0" httpmethod="GET" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" rawdata="Response-Content-Type=application/x-msdos-program"

  3. Filter and view fields in UTM-IPS logs:

    # execute log filter category 4 # execute log display 3 logs found. 3 logs returned. 1: date=2022-03-21 time=10:21:09 eventtime=1647883270101485354 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="2/2" attackcontext="YW0NCg0KWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L1BBQ0tFVD4=" 2: date=2022-03-21 time=10:21:09 eventtime=1647883270101484791 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 attackcontextid="1/2" attackcontext="PFBBVFRFUk5TPiBYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjtYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKjwvUEFUVEVSTlM+CjxVUkk+IDwvVVJJPgo8SEVBREVSPiBIVFRQLzEuMSAyMDAgT0sNCkRhdGU6IE1vbiwgMjEgTWFyIDIwMjIgMTc6MjE6MTAgR01UDQpTZXJ2ZXI6IEFwYWNoZS8yLjQuMTggKFVidW50dSkNCkxhc3QtTW9kaWZpZWQ6IFRodSwgMDEgRGVjIDIwMTYgMDE6MjY6MzUgR01UDQpFVGFnOiAiNDQtNTQyOGViNjU4MDk3YSINCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQpDb250ZW50LUxlbmd0aDogNjgNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNCjwvSEVBREVSPgo8Qk9EWT4gWDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo8L0JPRFk+CjxQQUNLRVQ+IEhUVFAvMS4xIDIwMCBPSw0KRGF0ZTogTW9uLCAyMSBNYXIgMjAyMiAxNzoyMToxMCBHTVQNClNlcnZlcjogQXBhY2hlLzIuNC4xOCAoVWJ1bnR1KQ0KTGFzdC1Nb2RpZmllZDogVGh1LCAwMSBEZWMgMjAxNiAwMToyNjozNSBHTVQNCkVUYWc6ICI0NC01NDI4ZWI2NTgwOTdhIg0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCkNvbnRlbnQtTGVuZ3RoOiA2OA0KQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LW1zZG9zLXByb2dy" 3: date=2022-03-21 time=10:21:09 eventtime=1647883270101483279 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.100.41 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port24" srcintfrole="undefined" dstintf="port17" dstintfrole="wan" sessionid=33934 action="detected" proto=6 service="HTTP" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" attack="Eicar.Virus.Test.File" srcport=43296 dstport=80 hostname="172.16.200.55" url="/virus/eicar.com" agent="curl/7.35.0" httpmethod="GET" direction="incoming" attackid=29844 profile="learn-ips" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=158335134 msg="file_transfer: Eicar.Virus.Test.File" attackcontextid="0/2" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program"

  4. Filter and view fields in UTM-webfilter logs:

    # execute log filter category 3 # execute log display 2 logs found. 2 logs returned. 2: date=2022-03-21 time=10:21:09 eventtime=1647883270100329681 tz="-0700" logid="0319013317" type="utm" subtype="webfilter" eventtype="urlmonitor" level="notice" vd="root" policyid=99 poluuid="6e3f7f54-a932-51ec-73ba-8282cfd0b73c" policytype="security-policy" policymode="learn" sessionid=33934 srcip=10.1.100.41 srcport=43296 srccountry="Reserved" srcintf="port24" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstcountry="Reserved" dstintf="port17" dstintfrole="wan" proto=6 httpmethod="GET" service="HTTP" hostname="172.16.200.55" agent="curl/7.35.0" profile="learn-webf" action="passthrough" reqtype="direct" url="http://172.16.200.55/virus/eicar.com" sentbyte=92 rcvdbyte=0 direction="outgoing" msg="URL has been visited" ratemethod="domain" cat=255 catdesc="Unknown"