Fortinet white logo
Fortinet white logo

Administration Guide

Source and destination UUID logging

Source and destination UUID logging

The traffic log setting includes three UUID fields: Source UUID (srcuuid), Destination UUID (dstuuid), and Policy UUID (poluuid). It also includes two internet-service name fields: Source Internet Service (srcinetsvc) and Destination Internet Service (dstinetsvc).

Log UUIDs

All policy types have a UUID field that is auto-generated by FortiOS when the policy is created, and can be viewed in the CLI using the show command. For example:

# show firewall policy 1
config firewall policy
    edit 1
        set name "client_yt_v4"
        set uuid f4fe48a4-938c-51ee-8856-3e84e3b24af4
        ...
    next
end

UUIDs can be matched for each source and destination that match a policy that is added to the traffic log. This allows the address objects to be referenced in log analysis and reporting.

As this may consume a significant amount of storage space, this feature is optional. By default, address UUID insertion is disabled.

To enable address UUID insertion in traffic logs in the GUI:
  1. Go to Log & Report > Log Settings.

  2. Under UUIDs in Traffic Log, enable Address.

  3. Click Apply.

To enable address UUID insertion in traffic logs in the CLI:
config system global	
   set log-uuid-address enable
end
Sample log
date=2019-01-25 time=11:32:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1528223575srcip=192.168.1.183 srcname="PC24" srcport=33709 srcintf="lan" srcintfrole="lan" dstip=192.168.70.184 dstport=80 dstintf="wan1" dstintfrole="wan" srcuuid="27dd503e 883c 51e7-ade1-7e015d46494f" dstuuid="27dd503e-883c-51e7-ade1-7e015d46494f" poluuid="9e0fe24c-1808-51e8-1257-68ce4245572c" sessionid=5181 proto=6 action="client-rst" policyid=4 policytype="policy" service="HTTP" trandisp="snat" transip=192.168.70.228 transport=33709 appid=38783 app="Wget" appcat="General.Interest" apprisk="low" applist="default" duration=5 sentbyte=450 rcvdbyte=2305 sentpkt=6 wanin=368 wanout=130 lanin=130 lanout=130 utmaction="block" countav=2 countapp=1 crscore=50 craction=2 devtype="Linux PC" devcategory="None" osname="Linux" mastersrcmac="00:0c:29:36:5c:c3" srcmac="00:0c:29:36:5c:c3" srcserver=0 utmref=65523-1018

Internet service name fields

Traffic logs for internet-service include two fields: Source Internet Service and Destination Internet Service.

To view the internet service fields using the GUI:
  1. Go to Log & Report > Forward Traffic.
  2. Double-click on an entry to view the Log Details. The Source Internet Service and Destination Internet Service fields are visible in the Log Details pane.

Sample log
date=2019-01-25 time=14:17:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1548454622
srcip=10.1.100.11 srcport=51112 srcintf="port3" srcintfrole="undefined" dstip=172.217.14.228 dstport=80 dstintf="port1" dstintfrole="undefined" poluuid="af519380-2094-51e9-391c-b78e8edbddfc" srcinetsvc="isdb-875099" dstinetsvc="Google.Gmail" sessionid=6930 proto=6 action="close" policyid=2 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=51112 duration=11 sentbyte=398 rcvdbyte=756 sentpkt=6 rcvdpkt=4 appcat="unscanned" devtype="Router/NAT Device" devcategory="Fortinet Device" mastersrcmac="90:6c:ac:41:7a:24" srcmac="90:6c:ac:41:7a:24" srcserver=0 dstdevtype="Unknown" dstdevcategory="Fortinet Device" masterdstmac="08:5b:0e:1f:ed:ed" dstmac="08:5b:0e:1f:ed:ed" dstserver=0

Source and destination UUID logging

Source and destination UUID logging

The traffic log setting includes three UUID fields: Source UUID (srcuuid), Destination UUID (dstuuid), and Policy UUID (poluuid). It also includes two internet-service name fields: Source Internet Service (srcinetsvc) and Destination Internet Service (dstinetsvc).

Log UUIDs

All policy types have a UUID field that is auto-generated by FortiOS when the policy is created, and can be viewed in the CLI using the show command. For example:

# show firewall policy 1
config firewall policy
    edit 1
        set name "client_yt_v4"
        set uuid f4fe48a4-938c-51ee-8856-3e84e3b24af4
        ...
    next
end

UUIDs can be matched for each source and destination that match a policy that is added to the traffic log. This allows the address objects to be referenced in log analysis and reporting.

As this may consume a significant amount of storage space, this feature is optional. By default, address UUID insertion is disabled.

To enable address UUID insertion in traffic logs in the GUI:
  1. Go to Log & Report > Log Settings.

  2. Under UUIDs in Traffic Log, enable Address.

  3. Click Apply.

To enable address UUID insertion in traffic logs in the CLI:
config system global	
   set log-uuid-address enable
end
Sample log
date=2019-01-25 time=11:32:55 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1528223575srcip=192.168.1.183 srcname="PC24" srcport=33709 srcintf="lan" srcintfrole="lan" dstip=192.168.70.184 dstport=80 dstintf="wan1" dstintfrole="wan" srcuuid="27dd503e 883c 51e7-ade1-7e015d46494f" dstuuid="27dd503e-883c-51e7-ade1-7e015d46494f" poluuid="9e0fe24c-1808-51e8-1257-68ce4245572c" sessionid=5181 proto=6 action="client-rst" policyid=4 policytype="policy" service="HTTP" trandisp="snat" transip=192.168.70.228 transport=33709 appid=38783 app="Wget" appcat="General.Interest" apprisk="low" applist="default" duration=5 sentbyte=450 rcvdbyte=2305 sentpkt=6 wanin=368 wanout=130 lanin=130 lanout=130 utmaction="block" countav=2 countapp=1 crscore=50 craction=2 devtype="Linux PC" devcategory="None" osname="Linux" mastersrcmac="00:0c:29:36:5c:c3" srcmac="00:0c:29:36:5c:c3" srcserver=0 utmref=65523-1018

Internet service name fields

Traffic logs for internet-service include two fields: Source Internet Service and Destination Internet Service.

To view the internet service fields using the GUI:
  1. Go to Log & Report > Forward Traffic.
  2. Double-click on an entry to view the Log Details. The Source Internet Service and Destination Internet Service fields are visible in the Log Details pane.

Sample log
date=2019-01-25 time=14:17:04 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1548454622
srcip=10.1.100.11 srcport=51112 srcintf="port3" srcintfrole="undefined" dstip=172.217.14.228 dstport=80 dstintf="port1" dstintfrole="undefined" poluuid="af519380-2094-51e9-391c-b78e8edbddfc" srcinetsvc="isdb-875099" dstinetsvc="Google.Gmail" sessionid=6930 proto=6 action="close" policyid=2 policytype="policy" service="HTTP" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=51112 duration=11 sentbyte=398 rcvdbyte=756 sentpkt=6 rcvdpkt=4 appcat="unscanned" devtype="Router/NAT Device" devcategory="Fortinet Device" mastersrcmac="90:6c:ac:41:7a:24" srcmac="90:6c:ac:41:7a:24" srcserver=0 dstdevtype="Unknown" dstdevcategory="Fortinet Device" masterdstmac="08:5b:0e:1f:ed:ed" dstmac="08:5b:0e:1f:ed:ed" dstserver=0