Source and destination UUID logging
The traffic log setting includes three UUID fields: Source UUID (srcuuid), Destination UUID (dstuuid), and Policy UUID (poluuid). It also includes two internet-service
name fields: Source Internet Service (srcinetsvc
) and Destination Internet Service (dstinetsvc
).
Log UUIDs
All policy types have a UUID field that is auto-generated by FortiOS when the policy is created, and can be viewed in the CLI using the show command. For example:
# show firewall policy 1 config firewall policy edit 1 set name "client_yt_v4" set uuid f4fe48a4-938c-51ee-8856-3e84e3b24af4 ... next end
UUIDs can be matched for each source and destination that match a policy that is added to the traffic log. This allows the address objects to be referenced in log analysis and reporting.
As this may consume a significant amount of storage space, this feature is optional. By default, address UUID insertion is disabled.
To enable address UUID insertion in traffic logs in the GUI:
-
Go to Log & Report > Log Settings.
-
Under UUIDs in Traffic Log, enable Address.
-
Click Apply.
To enable address UUID insertion in traffic logs in the CLI:
config system global set log-uuid-address enable end
Sample log
date=2019-01-25 time=11:32:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1528223575srcip=192.168.1.183 srcname="PC24" srcport=33709 srcintf="lan" srcintfrole="lan" dstip=192.168.70.184 dstport=80 dstintf="wan1" dstintfrole="wan" srcuuid="27dd503e 883c 51e7-ade1-7e015d46494f" dstuuid="27dd503e-883c-51e7-ade1-7e015d46494f" poluuid="9e0fe24c-1808-51e8-1257-68ce4245572c" sessionid=5181 proto=6 action="client-rst" policyid=4 policytype="policy" service="HTTP" trandisp="snat" transip=192.168.70.228 transport=33709 appid=38783 app="Wget" appcat="General.Interest" apprisk="low" applist="default" duration=5 sentbyte=450 rcvdbyte=2305 sentpkt=6 wanin=368 wanout=130 lanin=130 lanout=130 utmaction="block" countav=2 countapp=1 crscore=50 craction=2 devtype="Linux PC" devcategory="None" osname="Linux" mastersrcmac="00:0c:29:36:5c:c3" srcmac="00:0c:29:36:5c:c3" srcserver=0 utmref=65523-1018
Internet service name fields
Traffic logs for internet-service
include two fields: Source Internet Service and Destination Internet Service.
To view the internet service fields using the GUI:
- Go to Log & Report > Forward Traffic.
- Double-click on an entry to view the Log Details. The Source Internet Service and Destination Internet Service fields are visible in the Log Details pane.
Sample log
date=2019-01-25 time=14:17:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1548454622 srcip=10.1.100.11 srcport=51112 srcintf="port3" srcintfrole="undefined" dstip=172.217.14.228 dstport=80 dstintf="port1" dstintfrole="undefined" poluuid="af519380-2094-51e9-391c-b78e8edbddfc" srcinetsvc="isdb-875099" dstinetsvc="Google.Gmail" sessionid=6930 proto=6 action="close" policyid=2 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=51112 duration=11 sentbyte=398 rcvdbyte=756 sentpkt=6 rcvdpkt=4 appcat="unscanned" devtype="Router/NAT Device" devcategory="Fortinet Device" mastersrcmac="90:6c:ac:41:7a:24" srcmac="90:6c:ac:41:7a:24" srcserver=0 dstdevtype="Unknown" dstdevcategory="Fortinet Device" masterdstmac="08:5b:0e:1f:ed:ed" dstmac="08:5b:0e:1f:ed:ed" dstserver=0