Include usernames in logs
Usernames can be included in logs, instead of just IP addresses. The benefits of doing this include:
-
FortiOS monitors and FortiAnalyzer reports display usernames instead of IP addresses, allowing you to quickly determine who the information pertains to. Without the usernames, it is difficult to correlate the IP addresses with specific users.
-
User activity can be correlated across multiple IP addresses.
For example, if DHCP is used a user might receive different IP addresses every day, making it difficult to track a specific user by specifying an IP address as the match criterion.
In this example, a collector agent (CA) is installed on a Windows machine to poll a domain controller (DC) agent (seeFSSO for more information). On the FortiGate, an external connector to the CA is configured to receives user groups from the DC agent. The received group or groups are used in a policy, and some examples of the usernames in logs, monitors, and reports are shown.
Install and configure FSSO Agent
To download the FSSO agent:
-
Sign in to your FortiCloud account.
-
Go to Support > Firmware Download and select the Download tab.
-
Browse to the appropriate directory for the version of the FSSO agent that you need to download.
-
Click HTTPS to download the appropriate FSSO_Setup file.
To install the FSSO agent:
-
Run the FSSO_Setup file with administrator privileges.
-
Click Next, accept the terms of the license agreement, and click Next again.
-
Select the installation directory, or use the default location, then click Next.
-
Enter the User Name and Password, then click Next.
-
On the Install Options, select Advanced, then click Next.
-
Click Install.
-
After the FSSO Agent installs, run Install DC Agent.
-
Update the Collector Agent IP address and listening port as needed, then click Next.
-
Select the domain, in this example LAB:lab.local, then click Next.
-
Set the Working Mode to DC Agent Mode, then click Next to install the agent.
-
After the DC agent mode installation finishes, Reboot the DC to complete the setup.
To configure the FSSO agent:
-
Open the FSSO agent.
-
Enable Require authentication from FortiGate and enter a password for FortiGate authentication.
-
Click Set Group Filters, and create a default group filter to limit the groups that are sent to the FortiGate.
-
Click Save&close.
Configure the FortiGate
Create an external connector to the FSSO agent to receive the AD user groups. Add the user group or groups as the source in a firewall policy to include usernames in traffic logs. Enable security profiles, such as web filter or antivirus, in the policy to include the usernames in UTM logs.
Event logs include usernames when the log is created for a user action or interaction, such as logging in or an SSL VPN connection.
To create an external connector:
-
On the FortiGate, go to Security Fabric > External Connectors.
-
Click Create New and select FSSO Agent on Windows AD.
-
Set the Primary FSSO agent to the previously configured Collector Agent IP address and authentication password.
-
Click OK
The connector shows a green arrow when the connection is established, and a number in the top right indicating the number of AD groups received from the DC agent. Edit the connector to view the user groups.
To configure a policy with an imported user group and web filter in the GUI:
-
Go to Policy & Objects > Firewall Policy.
-
Edit an existing policy, or create a new one. See Firewall policy for information.
-
Add the FSSO groups or groups as sources:
-
Click in the Source field.
-
Select the User tab.
-
Select the group or groups.
-
Click Close.
-
-
Under Security Profiles, enable Web Filter and select a profile that monitors or blocks traffic, such as the monitor-all profile. See Web filter for information.
-
Click OK.
To configure a policy with an imported user group and web filter in the CLI:
config firewall policy edit 0 set name "LAN to WAN" set srcintf "port5" set dstintf "port1" set action accept set srcaddr "LAN" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set webfilter-profile "monitor-all" set logtraffic all set nat enable set fsso-groups "CN=USERS,DC=LAB,DC=LOCAL" next end
Log, monitor, and report examples
For more information about logs, see the FortiOS Log Message Reference.
Traffic logs:
Without a web filter profile applied:
date=2022-05-24 time=13:50:47 eventtime=1653425447661722283 tz="-0700" logid="0000000015" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.0.11 identifier=0 srcintf="port5" srcintfrole="lan" dstip=192.168.2.200 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="Reserved" sessionid=708558 proto=1 action="start" policyid=15 policytype="policy" poluuid="5bf426fe-794b-51ec-dedf-4318a843c5b5" policyname="LAN to WAN" user="USER2" authserver="Corp_Users" service="PING" trandisp="snat" transip=192.168.2.99 transport=0 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
With a web filter profile applied:
date=2022-05-25 time=12:16:54 id=7101754911016091650 itime=2022-05-25 12:16:07 euid=1039 epid=1037 dsteuid=3 dstepid=101 type=traffic subtype=forward level=notice action=close utmaction=allow policyid=15 sessionid=683 srcip=10.1.0.11 dstip=104.26.1.188 transip=192.168.2.99 srcport=64494 dstport=443 transport=64494 trandisp=snat duration=7 proto=6 sentbyte=1855 rcvdbyte=18631 sentpkt=16 rcvdpkt=21 logid=0000000013 user=USER2 group=CN=USERS,DC=LAB,DC=LOCAL service=HTTPS app=HTTPS appcat=unscanned srcintfrole=lan dstintfrole=wan srcserver=0 policytype=policy eventtime=1653506215490475553 countweb=1 poluuid=5bf426fe-794b-51ec-dedf-4318a843c5b5 srcmac=00:0c:29:5e:f5:25 mastersrcmac=00:0c:29:5e:f5:25 srchwvendor=VMware srchwversion=Workstation pro srcfamily=Virtual Machine srcswversion=10 devtype=Server osname=Windows srccountry=Reserved dstcountry=United States srcintf=port5 dstintf=port1 authserver=Corp_Users policyname=LAN to WAN hostname=www.yellow.com catdesc=Reference tz=-0700 devid=FGVM01TM22000459 vd=root dtime=2022-05-25 12:16:54 itime_t=1653506167
UTM log:
date=2022-05-25 time=12:16:46 id=7101754876656353280 itime=2022-05-25 12:15:59 euid=1039 epid=1037 dsteuid=3 dstepid=101 type=utm subtype=webfilter level=notice action=passthrough sessionid=683 policyid=15 srcip=10.1.0.11 dstip=104.26.1.188 srcport=64494 dstport=443 proto=6 cat=39 logid=0317013312 service=HTTPS user=USER2 group=CN=USERS,DC=LAB,DC=LOCAL eventtime=1653506207694977460 sentbyte=548 rcvdbyte=0 srcintfrole=lan dstintfrole=wan direction=outgoing method=domain reqtype=direct url=https://www.yellow.com/ hostname=www.yellow.com profile=default catdesc=Reference eventtype=ftgd_allow srcintf=port5 dstintf=port1 authserver=Corp_Users msg=URL belongs to an allowed category in policy tz=-0700 srcuuid=41cad638-794b-51ec-a8c9-8128712cb495 dstuuid=e1067f08-8e38-51eb-4b07-64f219140388 policytype=policy srccountry=Reserved dstcountry=United States poluuid=5bf426fe-794b-51ec-dedf-4318a843c5b5 devid=FGVM01TM22000459 vd=root dtime=2022-05-25 12:16:46 itime_t=1653506159
Event log:
date=2019-05-13 time=11:20:54 logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" eventtime=1557771654587081441 logdesc="Admin login successful" sn="1557771654" user="admin" ui="ssh(172.16.1.1)" method="ssh" srcip=172.16.200.254 dstip=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(172.16.200.254)"
FortiOS monitors:
The FortiView Web Sites by Bytes monitor shows a list of visited websites. Double click a specific domain (or manually create a filter), such as microsoft.com, to see a breakdown of the usernames and IP addresses that visited that domain. See Monitors for more information.
FortiAnalyzer reports:
The User Detailed Browsing Log report require a username or IP address to run. If a username is used, the report includes logs related to that user regardless of their IP address. For example, the following report show two source IP addresses:
The Web Usage report includes all usernames and IP addresses that match the specified conditions, like most visited categories.
See Reports in the FortiAnalyzer Administration guide for more information.