Fortinet black logo

Administration Guide

Destination user information in UTM logs

Destination user information in UTM logs

The dstuser field in UTM logs records the username of a destination device when that user has been authenticated on the FortiGate.

In the following example topology, the user, bob, is authenticated on a client computer. The user, guest, is authenticated on the server. Log are collected for AV and IPS in flow inspection mode. Logs are collected for application control and web filter in proxy mode.

To configure the RADIUS user and user groups:
  1. Configure the RADIUS server:
    config user radius
        edit "Ubuntu_docker"
            set server "172.16.200.240"
            set secret ************
        next
    end
  2. Configure the local user:
    config user local
        edit "guest"
            set type password
            set passwd ************
        next
    end
  3. Configure the RADIUS user groups:
    config user group
        edit "RADIUS_User_Group"
            set member "Ubuntu_docker"
        next
        edit "Local_User"
            set member "guest"
        next
    end

Flow inspection mode

To verify AV and IPS logs in flow mode:
  1. Configure the firewall policies:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set ips-sensor "sensor-11"
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
        edit 3
            set name "WAN_in"
            set srcintf "wan1"
            set dstintf "dmz"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
    end
  2. Verify the AV log:
    date=2021-09-14 time=16:37:25 eventtime=1631662646131356720 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=4613 srcip=10.1.100.72 dstip=172.16.200.75 srcport=60086 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" agent="Wget/1.17.1" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
  3. Verify the IPS log:
    date=2021-09-14 time=16:56:06 eventtime=1631663765992499880 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.72 srccountry="Reserved" dstip=172.16.200.75 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" sessionid=7881 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=60092 dstport=80 direction="incoming" attackid=29844 profile="sensor-11" ref="http://www.fortinet.com/ids/VID29844" user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" incidentserialno=17825794 attackcontextid="2/2" attackcontext="dGVudC1MZW5ndGg6IDY4DQpLZWVwLUFsaXZlOiB0aW1lb3V0PTUsIG1heD0xMDANCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNClg1TyFQJUBBUFs0XFBaWDU0KFBeKTdDQyk3fSRFSUNBUi1TVEFOREFSRC1BTlRJVklSVVMtVEVTVC1GSUxFISRIK0gqPC9QQUNLRVQ+"

Proxy inspection mode

To verify application control and web filter logs in proxy mode:
  1. Configure the firewall policies:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set application-list "g-default"
            set webfilter-profile "1"
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
        edit 3
            set name "WAN_in"
            set srcintf "wan1"
            set dstintf "dmz"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
    end
  2. Verify the application control log:
    date=2021-09-14 time=17:05:45 eventtime=1631664345570951500 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vdom1" appid=38783 user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" srcip=10.1.100.72 dstip=172.16.200.75 srcport=60098 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=10871 applist="g-default" action="pass" appcat="General.Interest" app="Wget" hostname="172.16.200.75" incidentserialno=17825796 url="/eicar.com" msg="General.Interest: Wget," apprisk="low"
  3. Verify the web filter log:
    date=2021-09-14 time=17:14:46 eventtime=1631664886585770420 tz="-0700" logid="0315012546" type="utm" subtype="webfilter" eventtype="urlfilter" level="information" vd="vdom1" urlfilteridx=1 urlfilterlist="Auto-webfilter-urlfilter_caex0ojl5" policyid=1 sessionid=15251 user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" srcip=10.1.100.72 srcport=60106 srcintf="dmz" srcintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 service="HTTP" hostname="172.16.200.75" profile="1" action="passthrough" reqtype="direct" url="http://172.16.200.75/eicar.com" sentbyte=149 rcvdbyte=0 direction="outgoing" msg="URL was allowed because it is in the URL filter list"

Destination user information in UTM logs

The dstuser field in UTM logs records the username of a destination device when that user has been authenticated on the FortiGate.

In the following example topology, the user, bob, is authenticated on a client computer. The user, guest, is authenticated on the server. Log are collected for AV and IPS in flow inspection mode. Logs are collected for application control and web filter in proxy mode.

To configure the RADIUS user and user groups:
  1. Configure the RADIUS server:
    config user radius
        edit "Ubuntu_docker"
            set server "172.16.200.240"
            set secret ************
        next
    end
  2. Configure the local user:
    config user local
        edit "guest"
            set type password
            set passwd ************
        next
    end
  3. Configure the RADIUS user groups:
    config user group
        edit "RADIUS_User_Group"
            set member "Ubuntu_docker"
        next
        edit "Local_User"
            set member "guest"
        next
    end

Flow inspection mode

To verify AV and IPS logs in flow mode:
  1. Configure the firewall policies:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set ips-sensor "sensor-11"
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
        edit 3
            set name "WAN_in"
            set srcintf "wan1"
            set dstintf "dmz"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
    end
  2. Verify the AV log:
    date=2021-09-14 time=16:37:25 eventtime=1631662646131356720 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" policyid=1 msg="File is infected." action="blocked" service="HTTP" sessionid=4613 srcip=10.1.100.72 dstip=172.16.200.75 srcport=60086 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.75/eicar.com" profile="g-default" user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" agent="Wget/1.17.1" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
  3. Verify the IPS log:
    date=2021-09-14 time=16:56:06 eventtime=1631663765992499880 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.72 srccountry="Reserved" dstip=172.16.200.75 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" sessionid=7881 action="dropped" proto=6 service="HTTP" policyid=1 attack="Eicar.Virus.Test.File" srcport=60092 dstport=80 direction="incoming" attackid=29844 profile="sensor-11" ref="http://www.fortinet.com/ids/VID29844" user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" incidentserialno=17825794 attackcontextid="2/2" attackcontext="dGVudC1MZW5ndGg6IDY4DQpLZWVwLUFsaXZlOiB0aW1lb3V0PTUsIG1heD0xMDANCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1tc2Rvcy1wcm9ncmFtDQoNClg1TyFQJUBBUFs0XFBaWDU0KFBeKTdDQyk3fSRFSUNBUi1TVEFOREFSRC1BTlRJVklSVVMtVEVTVC1GSUxFISRIK0gqPC9QQUNLRVQ+"

Proxy inspection mode

To verify application control and web filter logs in proxy mode:
  1. Configure the firewall policies:
    config firewall policy
        edit 1
            set name "WAN_out"
            set srcintf "dmz"
            set dstintf "wan1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection"
            set av-profile "g-default"
            set application-list "g-default"
            set webfilter-profile "1"
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
        edit 3
            set name "WAN_in"
            set srcintf "wan1"
            set dstintf "dmz"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
            set groups "RADIUS_User_Group" "Local_User"
        next
    end
  2. Verify the application control log:
    date=2021-09-14 time=17:05:45 eventtime=1631664345570951500 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="vdom1" appid=38783 user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" srcip=10.1.100.72 dstip=172.16.200.75 srcport=60098 dstport=80 srcintf="dmz" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=10871 applist="g-default" action="pass" appcat="General.Interest" app="Wget" hostname="172.16.200.75" incidentserialno=17825796 url="/eicar.com" msg="General.Interest: Wget," apprisk="low"
  3. Verify the web filter log:
    date=2021-09-14 time=17:14:46 eventtime=1631664886585770420 tz="-0700" logid="0315012546" type="utm" subtype="webfilter" eventtype="urlfilter" level="information" vd="vdom1" urlfilteridx=1 urlfilterlist="Auto-webfilter-urlfilter_caex0ojl5" policyid=1 sessionid=15251 user="bob" group="RADIUS_User_Group" authserver="Ubuntu_docker" dstuser="guest" srcip=10.1.100.72 srcport=60106 srcintf="dmz" srcintfrole="undefined" srcuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" dstip=172.16.200.75 dstport=80 dstintf="wan1" dstintfrole="undefined" dstuuid="877d43a4-c2f9-51eb-f78f-e09794924d8a" proto=6 service="HTTP" hostname="172.16.200.75" profile="1" action="passthrough" reqtype="direct" url="http://172.16.200.75/eicar.com" sentbyte=149 rcvdbyte=0 direction="outgoing" msg="URL was allowed because it is in the URL filter list"