Fortinet 4.0 MR1 FortiGate User Guide

Fortinet 4.0 MR1 FortiGate User Guide
Add to My manuals

Below you will find brief information for FortiGate 4.0 MR1. This guide provides detailed information that explains how to begin choosing a log device for your logging requirements, the types of log files, how to configure your chosen log device, including detailed explanations of each log type of log messages.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

FortiGate 4.0 MR1 User Guide | Manualzz

Logging and reporting in FortiOS 4.0

Version 4.0 MR1

User Guide

Logging and reporting in FortiOS 4.0

Version 4.0 MR1

24 August 2009

01-410-82625-20090824

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of

Fortinet, Inc.

Trademarks

Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,

FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,

FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,

Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and

FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents

Introduction .............................................................................................. 7

Before you begin............................................................................................................. 7

How this guide is organized........................................................................................ 7

Document conventions .................................................................................................. 8

IP addresses............................................................................................................... 8

Cautions, Notes and Tips ........................................................................................... 8

Typographical conventions ......................................................................................... 8

CLI command syntax ................................................................................................ 10

Registering your Fortinet product............................................................................... 11

Fortinet products End User License Agreement ....................................................... 11

Customer service and technical support.................................................................... 11

Training .......................................................................................................................... 11

Fortinet documentation ............................................................................................... 12

Tools and Documentation CD................................................................................... 12

Fortinet Knowledge Base ......................................................................................... 12

Comments on Fortinet technical documentation ..................................................... 12

Logging practices in FortiOS 4.0.......................................................... 13

About logging................................................................................................................ 13

Logging FortiGate features .......................................................................................... 14

Log devices ................................................................................................................... 14

System memory........................................................................................................ 14

Local disk or AMC disks ........................................................................................... 15

Structured Query Language (SQL) database on a FortiGate unit’s hard disk ... 15

FortiAnalyzer unit...................................................................................................... 15

FortiGuard Analysis server ....................................................................................... 15

Syslog server ............................................................................................................ 16

NetIQ WebTrends server.......................................................................................... 16

Backup solutions for logging ...................................................................................... 16

FortiGate units with hard disks and AMC hard disks ......................................... 16

FortiAnalyzer unit ............................................................................................... 17

Syslog server ..................................................................................................... 17

NetIQ WebTrends server backup solution ......................................................... 17

Configuring log devices ........................................................................ 19

Logging to the FortiGate unit’s system memory ....................................................... 20

Logging to the FortiGate unit’s hard disk................................................................... 20

Logging to the FortiGate unit’s SQL database.......................................................... 21

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

3

Contents

Logging to a FortiAnalyzer unit ................................................................................... 21

Testing the FortiAnalyzer configuration .................................................................... 22

Connecting to a FortiAnalyzer unit using Automatic Discovery ................................ 22

Logging to a FortiGuard Analysis server ................................................................... 22

Logging to a Syslog server .......................................................................................... 23

Logging to a WebTrends server .................................................................................. 23

Example ............................................................................................................. 24

Logging to multiple FortiAnalyzer units or Syslog servers ...................................... 24

Configuring multiple FortiAnalyzer units ................................................................... 24

Configuring multiple Syslog servers ......................................................................... 25

Logging in FortiOS 4.0........................................................................... 27

FortiGate log types and subtypes ............................................................................... 27

Log severity levels ........................................................................................................ 29

Enabling logging of FortiGate features....................................................................... 29

Firewall policy traffic logging..................................................................................... 30

Event logging ............................................................................................................ 30

Data Leak Prevention logging................................................................................... 31

Application control logging........................................................................................ 31

Antivirus logging ....................................................................................................... 32

Web Filter logging..................................................................................................... 32

Attack logging ........................................................................................................... 32

Spam filter logging .................................................................................................... 33

DLP archiving ........................................................................................................... 33

Configuring an alert email message ........................................................................... 34

Viewing quarantined files............................................................................................. 35

FortiGate log messages ........................................................................ 37

Explanation of log messages....................................................................................... 37

Traffic log messages .................................................................................................... 38

Event log messages...................................................................................................... 40

DLP Archive logs .......................................................................................................... 41

Antivirus log messages................................................................................................ 43

WebFilter log messages ............................................................................................... 45

Attack log messages .................................................................................................... 47

Antispam log messages ............................................................................................... 49

DLP log message .......................................................................................................... 51

Application control log message................................................................................. 53

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

4

Contents

Configuring reports in FortiOS 4.0 ....................................................... 57

Configuring reports ...................................................................................................... 57

Configuring basic traffic reports (FortiGate system memory only)............................ 57

Configuring FortiAnalyzer reports ............................................................................. 60

Configuring SQL database reports ........................................................................... 62

Viewing FortiAnalyzer reports ..................................................................................... 63

Index........................................................................................................ 65

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

5

Contents

6

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Introduction Before you begin

Introduction

This guide provides detailed information that explains how to begin choosing a log device for your logging requirements, the types of log files, how to configure your chosen log device, including detailed explanations of each log type of log messages.

Logging is an integral component of the FortiGate system. Logging allows you to view the activity and status of the traffic passing through your network, and monitor for anomalies.

This chapter includes the following topics:

Before you begin

Document conventions

Registering your Fortinet product

Fortinet products End User License Agreement

Customer service and technical support

Training

Fortinet documentation

Before you begin

Before you begin using this guide, take a moment to note the following:

• The FortiGate unit is successfully installed and integrated into the network.

• The FortiGate unit is currently running FortiOS 4.0 or higher.

• This guide includes detailed log message examples of each log type. If you need more information about specific log messages, such as the event-vipssl log messages, see the

FortiGate Log Message Reference.

How this guide is organized

This document contains information about how to find the right log device for you logging requirements, how to enable and configure logging to that device, and a detailed explanation of each log type log message.

This document contains the following chapters:

Logging practices in FortiOS 4.0

provides general information about logging. We recommend that you begin with this chapter as it contains information for both beginners and advanced users as well.

Configuring log devices provides information about how to configure your chosen log

device. Configuring multiple FortiAnalyzer units or Syslog servers is also included.

Logging in FortiOS 4.0

provides information about the different log types and subtypes, and how to enable logging of FortiGate features.

FortiGate log messages

provides general information about log messages, such as what is a log header. Detailed examples of each log type are discussed as well. For additional information about all log messages recorded by a FortiGate unit running FortiOS 4.0 and higher, see the

FortiGate Log Message Reference

.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

7

8

Document conventions Introduction

Configuring reports in FortiOS 4.0

provides information about how to configure reports if

you have logged to a FortiAnalyzer unit, FortiGate system memory, or the FortiGate unit’s hard disk SQL database.

Document conventions

Fortinet technical documentation uses the conventions described below:

IP addresses

To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918 .

Cautions, Notes and Tips

Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.

Typographical conventions

Fortinet documentation uses the following typographical conventions:

Table 1: Typographical conventions in Fortinet technical documentation

Convention

Button, menu, text box, field, or check box label

CLI input

Example

From Minimum log level, select Notification.

CLI output

Emphasis

File content

config system dns set primary <address_ipv4> end

FGT-602803030703 # get system settings comments : (null) opmode : nat

HTTP connections are not secure and can be intercepted by a third party.

<HTML><HEAD><TITLE>Firewall

Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Introduction Document conventions

Table 1: Typographical conventions in Fortinet technical documentation

Hyperlink

Keyboard entry

Navigation

Publication

Visit the Fortinet Technical Support web site, https://support.fortinet.com

.

Type a name for the remote VPN peer or client, such as

Central_Office_1.

Go to VPN > IPSEC > Auto Key (IKE).

For details, see the

FortiGate Administration Guide

.

* For conventions used to represent command syntax, see

“CLI command syntax” on page 10

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

9

Document conventions Introduction

CLI command syntax

This guide uses the following conventions to describe syntax to use when entering commands in the Command Line Interface (CLI).

Brackets, braces, and pipes are used to denote valid permutations of the syntax.

Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

For more information, see the

FortiGate CLI Reference

.

Table 2: Command syntax

Convention

Square brackets [ ]

Angle brackets < >

Description

A non-required word or series of words. For example:

[verbose {1 | 2 | 3}] indicates that you may either omit or type both the verbose word and its accompanying option, such as: verbose 3

A word constrained by data type.

To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:

<retries_int> indicates that you should enter a number of retries, such as 5.

Data types include:

<xxx_name>: A name referring to another part of the configuration, such as policy_A.

<xxx_index>: An index number referring to another part of the configuration, such as 0 for the first static route.

<xxx_pattern>: A regular expression or word with wild cards that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

<xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

<xxx_email>: An email address, such as [email protected].

<xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet./com/.

<xxx_ipv4>: An IPv4 address, such as 192.168.1.99.

<xxx_v4mask>: A dotted decimal IPv4 netmask, such as

255.255.255.0.

<xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space, such as

192.168.1.99 255.255.255.0.

<xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as

192.168.1.99/24.

<xxx_ipv6>: An IPv6 address.

<xxx_v6mask>: A dotted decimal IPv6 netmask.

<xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated by a space.

<xxx_str>: A string of characters that is not another data type, such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences

<xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes.

10

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Introduction Registering your Fortinet product

Table 2: Command syntax

Curly braces { }

Options delimited

by vertical bars |

Options delimited by spaces

A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.

You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].

Mutually exclusive options. For example:

{enable | disable} indicates that you must enter either enable or disable, but must not enter both.

Non-mutually exclusive options. For example:

{http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as: ping https ssh

Note: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type: ping https snmp ssh

If the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.

Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical

Support web site, https://support.fortinet.com

.

Many Fortinet customer services, such as firmware updates, technical support, and

FortiGuard Antivirus and other FortiGuard services, require product registration.

For more information, see the Fortinet Knowledge Center article Registration Frequently

Asked Questions .

Fortinet products End User License Agreement

See the

Fortinet products End User License Agreement

.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network.

To learn about the technical support services that Fortinet provides, visit the Fortinet

Technical Support web site at https://support.fortinet.com

.

You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does

Fortinet Technical Support require in order to best assist the customer?

Training

Fortinet Training Services provides a variety of training programs to serve the needs of our customers and partners world-wide. Visit the Fortinet Training Services web site at http://campus.training.fortinet.com

, or email [email protected]

.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

11

Fortinet documentation Introduction

Fortinet documentation

The Fortinet Technical Documentation web site, http://docs.fortinet.com

, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.

In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet

Knowledge Base.

Tools and Documentation CD

The documentation for your product is available on the Fortinet Tools and Documentation

CD shipped with your product. The documents on this CD are current at shipping time. For the most current versions of Fortinet documentation, visit the Fortinet Technical

Documentation web site, http://docs.fortinet.com

.

Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com

.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical document to [email protected]

.

12

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging practices in FortiOS 4.0 About logging

Logging practices in FortiOS 4.0

This chapter contains valuable information about logging practices and what you need to consider before logging FortiGate features on your FortiGate unit. This chapter includes how logging affects system performance, what logging devices are appropriate for your logging setup, and solutions for ensuring that logs are not lost if a failure occurs with your logging device.

Fortinet recommends reading this chapter when one or more of the following applies:

• You are new to logging in general or new to logging using a FortiGate unit and log device.

• You are deciding on a log scenario for your network environment and need to know what log devices are available for the FortiGate unit, including what FortiGate features would be best suited for your network traffic.

• You want to upgrade your current log scenario which may mean a new log device

(such as a FortiGuard Analysis server)

• You need to create a new log scenario because the current one no longer meets your network’s means.

This chapter contains the following sections:

About logging

Logging FortiGate features

Log devices

Backup solutions for logging

About logging

Logging is a valuable tool, providing insight into how to better protect the network traffic against attacks, including misuse and abuse. This valuable tool requires a plan so that you can properly configure logging for your particular network’s needs.

This plan should provide you with an outline of what log requirements your network needs.

You plan should cover:

• what FortiGate features you want logged

• the logging device best suited for your network

• if you want or are required to archive log files

• ensuring log files are not lost in the event a failure occurs (backup solution).

Your plan should also include the following:

• The FortiGate features you want to log. For more information, see

“Logging FortiGate features” on page 14 .

• The amount of storage space required to log the chosen FortiGate features. For example, traffic logs cannot be stored in the FortiGate system memory because they are large files. For more information, see

“Logging FortiGate features” on page 14

.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

13

Logging FortiGate features Logging practices in FortiOS 4.0

14

• The type of device appropriate for logging the chosen FortiGate features. If your organization/company requires reports compiled from log data, a FortiAnalyzer unit may be a better solution since it can create reports at scheduled times. For more

information, see “Log devices” on page 14

.

• A backup solution in the event your logging device becomes unavailable. For more

information, see “Backup solutions for logging” on page 16 .

Logging FortiGate features

When you are deciding which FortiGate features should be logged, it is important to know what types of features are best suited for your logging requirements. For example, you want to archive only spam email messages and log VoIP, IM/P2P, event, and traffic logs.

You also need to know if your logging device accepts the types of FortiGate features that you want log. For example, a FortiGuard Analysis server accepts all DLP archive logs, but a Syslog server does not. The backup solution must also fit with what you want to log. For example, you have enabled traffic, event and DLP archiving to log to a FortiAnalyzer unit with a Syslog server as a backup solution: a power failure occurs with the FortiAnalyzer unit and only traffic and event logs are sent to the Syslog server because DLP archives are not supported.

The FortiGate unit can log eleven types of features. These types are:

• traffic

• event

• Data Leak Prevention (DLP)

• application control

• antivirus

• web filtering

• attack (IPS)

• spam filtering

• DLP archiving (available only if connected to a FortiAnalyzer unit)

If you have enabled and configured VDOMs on your FortiGate unit, you can enable logging of FortiGate features within each VDOM. The log message, whether recorded in a

VDOM or not, provides what VDOM that log message was recorded in. For example, an event log recorded user_1 editing administrative profiles for user_23 in the vdom_hq. This type of detail provides you with additional help in tracking down and taking action against such things as misuse and abuse or attacks.

Log devices

Log devices provide a secure place to store and view generated log files; however, some these devices can also provide much more. For example, a FortiAnalyzer unit provides both archiving and reporting features.

The following explains each of the supported log devices, including why that logging device may be a good idea for your network.

System memory

The system memory on the FortiGate unit logs the following features:

• Event log

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging practices in FortiOS 4.0 Log devices

• Attack log

• Antivirus log

• Webfilter log

• Spam log

• Data Leak Prevention log

• Application Control log

• IM/P2P log

• VoIP log

System memory is limited; the system memory cannot log traffic or DLP archive logs because of their file size and occurrence; however, if you have a local disk, it can log traffic or DLP archive logs.

If you configured system memory logging, these logs display in Log&Report > Log Access

> Memory. System memory is a good log device when you only require logging a few

FortiGate features or for small networks, such as a home business.

Local disk or AMC disks

If you configured local disk logging, these logs display in Log&Report > Log Access >

Disk. This option is available only on FortiGate units with hard disks.

If you have an AMC disk, you can enable uploading of log files to a FortiAnalyzer unit using the CLI.

Structured Query Language (SQL) database on a FortiGate unit’s hard disk

You can store logs within an SQL database if your FortiGate unit has a hard disk. This

SQL database allows users to configure reports from the logs stored on the database. You need to enable the database from the CLI.

FortiAnalyzer unit

The FortiAnalyzer unit logs all FortiGate features and can also archive logs. If you also require creating reports from log data, the FortiAnalyzer unit provides a wide variety of reports. Reports contain log information that is presented in both graphical and tabular formats. Reports are a useful tool for reviewing what has occurred on your network in a daily, weekly, or monthly time period.

Logs are accessed from either the web-based manager of the FortiAnalyzer unit or the web-based manager of the FortiGate unit (Log&Report > Log Access > Remote).

You can configure up to three FortiAnalyzer units for logging FortiGate features; however, this is more of a redundant option than a back up solution.

The FortiAnalyzer unit is perfect for large networks that require DLParchiving and reports.

FortiGuard Analysis server

You can also configure logging to a FortiGuard Analysis server. The FortiGuard Analysis

Service provides a server which you can configure a FortiGate unit to log FortiGate features to. The FortiGuard Analysis Service is a subscription-based service that provides logging and reporting capabilities previously only found on a FortiAnalyzer unit. You can log to a FortiGuard Analysis server if your FortiGate unit is running FortiOS 4.0 and higher.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

15

Backup solutions for logging Logging practices in FortiOS 4.0

The FortiGuard Analysis server can log all FortiGate features including traffic logs, as well as full DLP archiving of all archival FortiGate features, such as email messages and FTP.

You can also generate reports from the log data stored on the FortiGuard Analysis server.

FortiGuard Analysis servers provide all the features of a FortiAnalyzer unit, but without having an actual, physical FortiAnalyzer unit. This service provides an easy, maintenance-free environment for logging and is best for those networks that are growing or administrators who may not have a lot of experience with logging with a FortiGate unit.

The FortiGuard Analysis server can be used in all types of networks, large or small.

Note: If you have not already upgraded to FortiOS 4.0, you can still subscribe to the

FortiGuard Analysis and Management Service so that you can configure your FortiGate unit to log to a FortiGuard Analysis server; however, certain FortiOS 3.0 maintenance releases do not contain all the available features that the current FortiGuard Analysis and

Management Service version supports.

Syslog server

The Syslog server can log all FortiGate features, including content logs and VoIP logs.

You can also configure up to three Syslog servers to log all FortiGate features. Configuring three Syslog servers is more of a redundant solution, than a back up solution.

Syslog servers are useful in any network setup, large or small.

If you require reports (which are generated from log data), you need to log to a

FortiAnalyzer unit or FortiGuard Analysis server.

NetIQ WebTrends server

The NetIQ WebTrends server logs all FortiGate features, except DLP archive. You can configure only one NetIQ WebTrends server to log FortiGate features. A NetIQ

WebTrends server is useful in any network setup, large or small.

Backup solutions for logging

You need to have a backup solution, or backup plan, in the event the logging device becomes unavailable. If you decide not to include a backup solution when you begin logging, log files may be lost if the logging device becomes unavailable.

The following are backup solutions for various logging devices.

The FortiGuard Analysis Service has several secondary FortiGuard Analysis servers configured as backup servers in the event the FortiGuard Analysis server that is storing your log files becomes unavailable. The FortiGuard Analysis service does not require a backup solution because the secondary servers provide the backup solution you may need if the FortiGuard Analysis server your FortiGate unit is logging to becomes unavailable.

FortiGate units with hard disks and AMC hard disks

You can use the hard disk, if available, to log to a FortiAnalyzer unit with buffering to the hard disk by the configuring this in the CLI. For more information, see the FortiGate CLI

Reference.

You can configure the AMC hard disk on the FortiGate unit, if available, to store logs including DLP archives and then upload these logs to a FortiAnalyzer unit on a daily basis.

You can also schedule when to upload these logs from the AMC disk to the FortiAnalyzer unit.

16

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging practices in FortiOS 4.0 Backup solutions for logging

FortiAnalyzer unit

A backup solution to a FortiAnalyzer unit may be a Syslog server or NetIQ WebTrends server. You could use a FortiGuard Analysis server as a backup solution to a FortiAnalyzer unit as well.

Syslog server

You can configure up to three Syslog servers for ensuring logs are not lost when a failure occurs. When the FortiGate unit logs to all three Syslog servers, all three Syslog servers receive the same logs. This ensures logs are available at all times.

NetIQ WebTrends server backup solution

You can log to the FortiGate system memory or hard disk, as a backup solution when logging FortiGate features to a NetIQ WebTrends server.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

17

Backup solutions for logging Logging practices in FortiOS 4.0

18

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring log devices

Configuring log devices

In your log plan, you chose a log device to meet your log requirements. This section helps you to configure the log device you chose, including how to configure multiple

FortiAnalyzer units or Syslog servers. This section also includes how to log to a

FortiGuard Analysis server, which is available if subscribed to the FortiGuard Analysis and

Management Service.

If you need to configure multiple FortiAnalyzer units or Syslog servers, see “Logging to multiple FortiAnalyzer units or Syslog servers” on page 24 to configure these devices.

The FortiGate unit supports logging to a variety of log devices, including the FortiGuard

Analysis server. This provides greater flexibility when logging requirements change. The log devices that the FortiGate unit supports are:

• FortiGate system memory

• Hard disk or AMC

• SQL database (for FortiGate units that have a hard disk)

• FortiAnalyzer unit

• FortiGuard Analysis server (part of the FortiGuard Analysis and Management Service)

• Syslog server

• NetIQ WebTrends server

This chapter contains the following sections:

Logging to the FortiGate unit’s system memory

Logging to the FortiGate unit’s hard disk

Logging to a FortiAnalyzer unit

Logging to a FortiGuard Analysis server

Logging to a Syslog server

Logging to a WebTrends server

Logging to multiple FortiAnalyzer units or Syslog servers

Note: All log entries are cleared from the FortiGate unit system memory when the FortiGate unit restarts.

In FortiOS 4.0 MR1, the size of a log file is reduced. This provides more room for storing large amounts of log files on log devices as well as on the FortiGate unit. If you currently have a scheduled uploading or rolling of log files, you may need to re-schedule because of the reduced size. For example, logs rolled every two months, now need to be rolled every four months.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

19

Logging to the FortiGate unit’s system memory Configuring log devices

Logging to the FortiGate unit’s system memory

The FortiGate system memory has a limited capacity for log messages. The system memory displays recent log entries and stores most log types except traffic and content logs. The FortiGate system memory cannot store traffic and content logs because of their size and frequency of log entries. When the system memory is full, the FortiGate unit overwrites the oldest messages. All log entries stored in system memory are cleared when the FortiGate unit restarts.

To configure the FortiGate unit to save logs in memory

1 Go to Log&Report > Log Config > Log Setting.

2 Expand Local Logging & Archiving.

3 Select the check box beside Memory.

4 Select a log level from the Minimum log level list.

5 Select Apply.

The FortiGate unit logs all messages at and above the logging severity level you

select. For more information on log severity levels, see “Log severity levels” on page 29 .

Logging to the FortiGate unit’s hard disk

If your FortiGate unit contains a hard disk, you can configure the FortiGate unit to store logs on the disk. You can configure logging to the FortiGate unit’s hard disk from

Log&Report > Log Config > Log Settings. When you are configuring to log to a hard disk, you can also configure a schedule to upload those logs to either a FortiAnalyzer unit, if the hard disk is AMC.

Figure 1: Log configuration settings on a FortiGate unit with a hard disk

20

To log to the hard disk on a FortiGate unit

1 Go to Log&Report > Log Config > Log Settings.

2 Expand Remote Logging & Archiving to reveal the available options.

3 Select the check box beside for Buffer to hard disk and upload.

4 To log to an AMC hard disk, select the check box beside Log to AMC Hard Disk &

Upload to FortiAnalyzer.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring log devices Logging to a FortiAnalyzer unit

Logging to the FortiGate unit’s SQL database

If your FortiGate unit has a hard disk and is running FortiOS 4.0 MR1, then you can send logs to the SQL database. You must first set up the SQL database before configuring the

FortiGate unit to log to it.

The following assumes that you have already logged in to the web-based manager. If you want to configure logging to an SQL database using the CLI, see the

FortiGate CLI

Reference

.

To log to an SQL database

1 Go to Log&Report > Log Config > Log Settings.

2 Under Local Logging & Archiving, select the check box beside Disk.

3 Select a log level from the Minimum log level list.

4 Select one of the following in the When log disk is full list:

Overwrite old logs

Do not log

Deletes the oldest log entry and continues logging when the maximum log disk space is reached.

Stops log messages going to the FortiGuard Analysis server when the maximum log disk space is reached.

5 Enter a maximum number (in MB) that the log file should not exceed in the Log file

should not exceed field.

6 To roll log files on a daily basis, select Daily in the Log files should be rolled list, and then specify a time.

7 To roll log files on a weekly basis, select Weekly in the Log files should be rolled list, select a week day, and then enter the time when the log file will roll.

8 Select SQL as the log format you want for each of the available logs under Log Storage

Format.

9 Select Apply.

Logging to a FortiAnalyzer unit

A FortiAnalyzer unit can log all FortiGate features that are available for logging, including

DLP archiving. The following procedure assumes that you have only one FortiAnalyzer unit to configure. If you are configuring more than one, you must configuring the other

FortiAnalyzer units in the CLI. Use the procedures in “Configuring multiple FortiAnalyzer units” on page 24

to configure multiple FortiAnalyzer units.

To send logs to a FortiAnalyzer unit

1 Go to Log&Report > Log Config > Log Setting.

2 Expand Remote Logging & Archiving to reveal the available options.

3 Select FortiAnalyzer.

4 In the IP/FQDN field, enter either the IP address of FQDN of the FortiAnalyzer unit.

5 Select a log level from the Minimum log level list.

6 Select Apply.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

21

Logging to a FortiGuard Analysis server Configuring log devices

22

Testing the FortiAnalyzer configuration

After configuring FortiAnalyzer settings, you can test the connection between the

FortiGate unit and the FortiAnalyzer unit to ensure the connection is working properly. This enables you to view the connection settings between the FortiGate unit and the

FortiAnalyzer unit.

To test the connection between your FortiGate unit and the FortiAnalyzer unit, go to

Log&Report > Log Config > Log Settings, and under Remote Logging & Archiving select

Test Connectivity beside the IP/FQDN field.

Connecting to a FortiAnalyzer unit using Automatic Discovery

Automatic Discovery is a method of establishing a connection to a FortiAnalyzer unit by using the FortiGate unit to find a FortiAnalyzer unit on the network. The Fortinet Discovery

Protocol (FDP) is used to locate the FortiAnalyzer unit. Both units must be on the same subnet to use FDP, and they must also be able to connect using UDP.

When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate any FortiAnalyzer units that are available on the network within the same subnet. When the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer unit and begins sending log data.

To connect to a FortiAnalyzer unit using Automatic Discovery

1 Go to Log&Report > Log Config > Log Settings.

2 Under Remote Logging & Archiving, in FortiAnalyzer, select Automatic Discovery.

3 If in Transparent mode, select an interface from the Interface list.

4 If available, select a FortiAnalyzer unit from the Connect To list when a FortiAnalyzer unit is discovered.

5 Select Discover.

6 When you select Discover in Transparent mode, a warning displays. Select OK to continue.

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode .

Note: The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Logging to a FortiGuard Analysis server

You can configure logging to a FortiGuard Analysis server after registering for the

FortiGuard Analysis and Management Service. The following procedure assumes that you have already configured the service account ID in System > Maintenance > FortiGuard.

To log to a FortiGuard Analysis server

1 Go to Log&Report > Log Config > Log Settings.

2 Expand Remote Logging & Archiving to reveal the available options.

3 Select the check box beside FortiGuard.

4 Enter the account ID in the Account ID field.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring log devices Logging to a Syslog server

5 Select one of the following:

Overwrite oldest logs Deletes the oldest log entry and continues logging when the maximum log disk space is reached.

Do not log

Stops log messages going to the FortiGuard Analysis server when the maximum log disk space is reached.

6 Select a severity level.

7 Select Apply.

Logging to a Syslog server

The Syslog server is a remote computer running syslog software. Syslog is a standard for forwarding log messages in an IP network. Syslog servers capture log information provided by network devices.

Use the procedure in “Configuring multiple Syslog servers” on page 25

to configure multiple Syslog servers.

To send logs to a syslog server

1 Go to Log&Report > Log Config > Log Setting.

2 Select the check box beside Syslog.

After you select the check box, the Syslog options appear.

3 Enter the appropriate information for the following:

IP/FDQN

Enter the domain name or IP address of the syslog server.

Port

Enter the port number for communication with the syslog server, usually port 514.

Minimum log level

Select a log level the FortiGate unit will log all messages at and above that logging severity level. For more information about log severity levels, see

“Log severity levels” on page 29 .

Facility

Facility indicates to the syslog server the source of a log message. By default, the FortiGate reports facility as local7.

You can change the Facility if you want to distinguish log messages from different Fortinet units.

Enable CSV Format

Select to have logs formatted in CSV format. When you enable

CSV format, the FortiGate unit produces the log in Comma

Separated Value (CSV) format. If you do not enable CSV format, the FortiGate unit produces plain text files.

4 Select Apply.

Logging to a WebTrends server

A WebTrends server is a remote computer, similar to a Syslog server, running NetIQ

WebTrends firewall reporting server. FortiGate log formats comply with WebTrends

Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security

Reporting Center and Firewall Suite 4.1.

To send logs to a WebTrends server, log in to the CLI and enter the following commands: config log webtrends setting set server <address_ip4> set status {disable | enable} end

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

23

Logging to multiple FortiAnalyzer units or Syslog servers Configuring log devices

24

Example

This example shows how to enable logging to and set an IP address for a remote NetIQ

WebTrends server. config log webtrends settings set status enable set server 172.25.82.145

end

Logging to multiple FortiAnalyzer units or Syslog servers

FortiOS 4.0 allows you to configure multiple FortiAnalyzer units or multiple Syslog servers, ensuring that all logs are not lost in the event one of them fails.

You can configure multiple FortiAnalyzer units or Syslog servers within the CLI. You should review the

FortiGate CLI Reference

before proceeding because the reference document provides detailed explanations on all the CLI commands used in the following procedures.

Configuring multiple FortiAnalyzer units

Fortinet recommends that you contact a FortiAnalyzer administrator first, to verify that the

IP addresses of the FortiAnalyzer units you want to send logs to are correct and that all

FortiAnalyzer units are currently installed with FortiAnalyzer 4.0 firmware.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM. For more information, see the

FortiGate CLI Reference

.

The following procedure does not contain how to enable logging of FortiGate features within the CLI. Use the

FortiGate CLI Reference

(the

config log

section) to enable which FortiGate features to log.

To enable logging to multiple FortiAnalyzer units

1 Log in to the CLI.

2 Enter the following commands: config log fortianalyzer setting set status enable set server <faz_ip address> set encrypt [disable | enable] (if encryption is required) set psksecret <password>

(if encryption is required) set localid <identification_ipsectunnel> (if encryption is required) set conn-timeout <value_seconds> end

3 Enter the following commands for the second FortiAnalyzer unit:

config log fortianalyzer2 setting set status {disable | enable} set server <fortianalyzer_ipv4>

set encrypt [disable | enable] (if encryption is required) set psksecret <password>

(if encryption is required) set localid <identification_ipsectunnel> (if encryption is required)

set ver-1 {disable | enable}

set conn-timeout <value_seconds> end

4 Enter the following commands for the last FortiAnalyzer unit:

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring log devices Logging to multiple FortiAnalyzer units or Syslog servers

config log fortianalyzer3 setting

set status enable set server <faz_ip address> set encrypt [disable | enable] (if encryption is required) set psksecret <password>

(if encryption is required) set localid <identification_ipsectunnel> (if encryption is required) set conn-timeout <value_seconds> end

Configuring multiple Syslog servers

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM. For more information, see the

FortiGate CLI Reference

.

The following procedure does not contain how to enable logging of FortiGate features within the CLI. Use the

FortiGate CLI Reference

(the

config log

section) to enable which FortiGate features to log.

To enable logging to multiple Syslog servers

1 Log in to the CLI.

2 Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address> set status {disable | enable} end

3 Enter the following commands to configure the second third Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address> set status {disable | enable} end

4 Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address> set status {disable | enable} end

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

25

Logging to multiple FortiAnalyzer units or Syslog servers Configuring log devices

26

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging in FortiOS 4.0 FortiGate log types and subtypes

Logging in FortiOS 4.0

This section introduces you to the types of logs the FortiGate unit records, log severity levels, and where to enable logging of FortiGate features in FortiOS 4.0.

This chapter contains the following sections:

FortiGate log types and subtypes

Log severity levels

Enabling logging of FortiGate features

Configuring an alert email message

Viewing quarantined files

FortiGate log types and subtypes

The FortiGate unit can record the following log types based on the network traffic.

Log Type

Traffic

Event

Antivirus

Web

Attack

Spam Filter

Data Leak

Prevention

Application

Control

DLP archive

File name Description

tlog.log

The traffic log records all traffic to and through the FortiGate interface. elog.log

The event log records management and activity events. For example, when an administrator logs in or logs out of the web-based manager. vlog.log

The antivirus log records virus incidents in Web, FTP, and email traffic. wlog.log

alog.log

slog.log

dlog.log

rlog.log

clog.log

The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs.

The attack log records attacks that are detected and prevented by the FortiGate unit.

The spam filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.

The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a company does not want entering their network.

The application control log records data detected by the FortiGate unit and the action taken against the network traffic depending on the application that is generating the traffic, for example, instant messaging software, such as MSN Messenger.

The DLP archive log, or clog.log, records all log messages, including most IM log messages as well as the following session control protocols (VoIP protocols) log messages:

• SIP start and end call

• SCCP phone registration

• SCCP call info (end of call)

• SIMPLE log message

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

27

FortiGate log types and subtypes Logging in FortiOS 4.0

FortiGate logs also include log subtypes, which are types of log messages that are within the main log type. For example, in the event log type there are the subtype admin log messages. FortiGate log types and subtypes are numbered, and these numbers appear within the log identification field of the log message. For more information, see

“FortiGate log messages” on page 37

.

Table 3: Log types and subtypes

Log Type

traffic (Traffic

Log) event

(Event Log)

Category

Number

Sub-Type Sub-Type

Number

00

01

09 allowed – Policy allowed traffic violation – Policy violation traffic

Other system – System activity event ipsec – IPSec negotiation event dhcp – DHCP service event ppp – L2TP/PPTP/PPPoE service event admin – admin event ha – HA activity event auth – Firewall authentication event pattern – Pattern update event alertemail – Alert email notifications chassis – FortiGate-4000 and

FortiGate-5000 series chassis event sslvpn-user – SSL VPN user event sslvpn-admin – SSL VPN administration event sslvpn-session – SSL VPN session even his-performance – performance statistics vipssl – VIP SSL events ldb-monitor – LDB monitor events dlp – Data Leak Prevention

21

22

38

00

01

02

03

04

05

06

07

23

29

32

33

34

43

45

46

54 dlp

(Data Leak

Prevention) app-crtl

(Application

Control Log)

DLP archive

(DLP Archive

Log)

10

06 app-crtl-all – All application control 59 virus (Antivirus

Log)

02 webfilter (Web

Filter Log)

03

HTTP – Virus infected

FTP – FTP content metadata

SMTP – SMTP content metadata

POP3 – POP3 content metadata

IMAP – IMAP content metadata infected – Virus infected filename – Filename blocked oversize – File oversized content – content block urlfilter – URL filter

FortiGuard block

FortiGuard allowed

FortiGuard error

ActiveX script filter

Cookie script filter

Applet script filter

11

12

13

14

15

16

17

18

35

36

37

24

25

26

27

28

28

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging in FortiOS 4.0 Log severity levels

Table 3: (Continued)Log types and subtypes

ids (Attack Log) 04 emailfilter

(Spam Filter

Log)

05 signature – Attack signature anomaly – Attack anomaly

SMTP

POP3

IMAP

19

20

08

09

10

Log severity levels

You can define what severity level the FortiGate unit records logs at when configuring the logging location. The FortiGate unit logs all message at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert, and

Emergency level messages.

Table 4: Log severity levels

Levels

0 - Emergency

1 - Alert

2 - Critical

3 - Error

4 - Warning

5 - Notification

6 - Information

Description

The system has become unstable.

Immediate action is required.

Functionality is affected.

An error condition exists and functionality could be affected.

Functionality could be affected.

Information about normal events.

General information about system operations.

The Debug severity level, not shown in Table 4 , is rarely used. It is the lowest log severity

level and usually contains some firmware status information that is useful when the

FortiGate unit is not functioning properly. Debug log messages are only generated if the log severity level is set to Debug. Debug log messages are generated by all types of

FortiGate features.

Enabling logging of FortiGate features

Within FortiOS 4.0, there are many different logs you can enable. Depending on what you choose to log, you need to enable them in various locations within the web-based manager. This section describes where you enable logging for each log type.

This topic includes the following:

Firewall policy traffic logging

Event logging

Data Leak Prevention logging

Application control logging

Antivirus logging

Web Filter logging

Attack logging

Spam filter logging

DLP archiving

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

29

Enabling logging of FortiGate features Logging in FortiOS 4.0

Firewall policy traffic logging

Firewall policy traffic logging records the traffic, both permitted and denied by the firewall policy, based on the protection profile. Firewall policy traffic logging records packets that match the policy. This method of traffic logging is preferred because it reduces system load on the FortiGate unit.

To enable firewall policy traffic logging

1 Go to Firewall > Policy.

2 Expand to reveal the policy list of a policy.

3 Select Edit beside the policy that you want.

If required, create a new firewall policy by selecting Create New. For more information about firewall policies, see the FortiGate Administration Guide.

4 Select the check box beside Log Allowed Traffic.

5 Select OK.

Note: You need to set the logging severity level to Notification when configuring a logging location to record traffic log messages.

Event logging

The event log records management and activity events, such as when a configuration has changed, admin login, or high availability (HA) events occur.

When you are logged in to VDOMs, certain options may not be available, such as VIP ssl event or CPU and memory usage events. You can enable event logs only when you are logged in to a VDOM; you cannot enable event logs in the root VDOM.

To enable the event logs

1 Go to Log&Report > Log Config > Event Log.

2 Select the Enable check box.

3 Select one or more of the following logs:

System activity event

All system-related events, such as ping server failure and gateway status.

IPSec negotiation event

All IPSec negotiation events, such as process and error reports.

DHCP service event

All DHCP-events, such as the request and response log.

L2TP/PPTP/PPPoE service event

All protocol-related events, such as manager and socket create processes.

Admin event

HA activity event

Firewall authentication event

All administrative events, such as user logins, resets, and configuration updates.

All high availability events, such as link, member, and stat information.

All firewall-related events, such as user authentication.

Pattern update event All pattern update events, such as antivirus and IPS pattern updates and update failure.

SSL VPN user authentication event

All administrator events related to SSL VPN, such as SSL configuration and CA certificate loading and removal.

30

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging in FortiOS 4.0 Enabling logging of FortiGate features

SSL VPN administration event

SSL VPN session event

VIP ssl event

All administration events related to SSL VPN, such as SSL configuration and CA certificate loading and removal.

All session activity such as application launches and blocks, timeouts, verifications and so on.

VIP server health monitor event

All server-load balancing events that are happening during SSL session, especially details about handshaking.

All related VIP server health monitor events that occur when the

VIP health monitor is configured, such as an interface failure.

CPU & memory usage

(every 5 min)

Real-time CPU and memory events only, at 5-minute intervals.

4 Select Apply.

Data Leak Prevention logging

Data Leak Prevention (DLP) provides additional information for administrators that can better analyze and detect data leaks. You can enable logging of your configured settings for DLP within the DLP sensor.

Before enabling logging of DLP events, verify that you have the correct DLP sensor for what you want logged.

To enable logging of DLP events

1 Go to Firewall > Protection Profile.

2 Select Edit beside the policy that you want.

3 Expand Data Leak Prevention to reveal the available options.

4 Select the check box next to the sensor list.

5 Select a sensor from the list.

6 Expand Logging to reveal the available options.

7 Select the Data Leak Prevention Log DLP check box.

Application control logging

This log file includes IPS, IM/P2P and VoIP events that the FortiGate unit records. The application control log also includes some IPS activities.

Before enabling logging of Application Control events, verify that the correct application control list is available for what you want to log. An application control list is required for logging application control events.

To enable logging of application control settings

1 Go to Firewall > Protection Profile.

2 Select Edit beside the protection profile that you want.

3 Expand Application Control to reveal the available options.

4 Select the check box beside the application control list to enable the option.

5 Select a list from the application control list.

6 Expand Logging to reveal the available options.

7 Select the Log Application Control check box.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

31

Enabling logging of FortiGate features Logging in FortiOS 4.0

Antivirus logging

The Antivirus logs record virus incidents in Web, FTP and email traffic. For example, when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email. You can also apply filters to customize what the FortiGate unit logs, which are:

Viruses – The FortiGate unit logs all virus infections

Blocked Files – The FortiGate unit logs all instances of blocked files.

Oversized Files/Emails – The FortiGate unit logs all instances of files and email messages exceeding defined thresholds.

AV Monitor – The FortiGate unit logs all instances of viruses, blocked files, and oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM traffic.

To enable antivirus logs

1 Go to Firewall > Protection Profile.

2 Select the Edit icon beside the protection profile that you want.

3 Expand Logging to reveal the available options.

4 Under Antivirus, select what antivirus events you want logged.

5 Select OK.

Web Filter logging

Web Filter logs record HTTP, FortiGuard log rating errors including web content blocking actions.

To enable web filter logs

1 Go to Firewall > Protection Profile.

2 Select the Edit icon beside the protection profile that you want.

3 Expand Logging to reveal the available options.

4 Under Web Filtering, select the web filtering events to log.

5 Select the FortiGuard Web Filtering Rating Errors (HTTP only) to log FortiGuard filtering.

6 Select OK.

Attack logging

The Attack log records attacks detected and prevented by the FortiGate unit. The

FortiGate unit will log attack signatures and attack anomalies.

To enable the attack logs

1 Go to Firewall > Protection Profile.

2 Select Edit beside the protection profile that you want.

3 Expand Logging to reveal the available options.

4 Select the check box beside Log Intrusions.

5 Select OK.

32

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging in FortiOS 4.0 Enabling logging of FortiGate features

Spam filter logging

Spam Filter logs record blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.

To enable the spam log

1 Go to Firewall > Protection Profile.

2 Select Edit beside the protection profile that you want.

3 Expand Logging to reveal the available options.

4 Select Log Spam.

5 Select OK.

DLP archiving

You can archive FTP, Email, IM, and Web (including HTTPS and all other secure protocols), using DLP rules and sensors. This is referred to as DLP archiving. For more information about enabling and configuring DLP archiving, see the UTM User Guide.

You can use the default DLP sensors for archiving, which are Content_Archive and

Content_Summary, available in UTM > Data Leak Prevention > Sensor. These two default

DLP sensors are dedicated to content archiving. Content_Archive provides full content archiving, while Content_Summary provides summary DLP archiving. For more information, see the UTM User Guide.

Figure 2 helps to explain what can be seen when full DLP archiving is enabled, such as

from the Email tab. When full DLP archiving is enabled, you can view the email message and any attachments, including HTML or XML pages.

Figure 2: An example of an archived email message as displayed in DLP Archive > Email

Note: When viewing web archives, the URL is usually saved as a PDF, except for XML pages which are saved as XML.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

33

Configuring an alert email message Logging in FortiOS 4.0

Configuring an alert email message

You can use the Alert Email feature to monitor logs for log messages, and to send email notification about a specific activity or event logged. For example, if you require notification about administrators logging in and out, you can configure an alert email that is sent whenever an administrator logs in and out. You can also base alert email messages on the severity levels of the logs.

Before configuring alert email, you must configure at least one DNS server if you are configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the

SMTP server name to connect to the mail server, and must look up this name on your

DNS server. You can also specify an IP address.

To configure an alert email message, go to Log&Report > Log Config > Alert E-mail, enter the information for the SMTP server, and then select Apply. Choose one of the following:

• If you want an alert email message sent based on log severity, select Send alert email

for logs based on severity, and then select a minimum log level.

• If you want an alert email message sent based on specific activities, such as an administrator logging in or out, select Send alert email for the following and then select the check boxes beside the available options.

To verify the alert email message can be sent to the recipient, select Test Connectivity.

This test can be done at anytime after configuring the SMTP server information.

Figure 3: Alert Email options

34

SMTP Server

Email from

The name/address of the SMTP email server.

The SMTP user name.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Logging in FortiOS 4.0 Viewing quarantined files

Email to

Authentication

Enter up to three email address recipients for the alert email message.

Select the authentication Enable check box to enable SMTP authentication.

SMTP user

Password

Enter the user name for logging on to the SMTP server to send alert email messages. You need to do this only if you have enabled the

SMTP authentication.

Enter the password for logging on to the SMTP server to send alert email. You need to do this only if you selected SMTP authentication.

Select to have the alert email sent for one or multiple events that occur, such as an administrator logging in and out.

Send alert email for the following

Interval Time

(1-9999 minutes)

Intrusion detected

Enter the minimum time interval between consecutive alert emails.

Use this to rate-limit the volume of alert emails.

Select if you require an alert email message based on attempted intrusion detection.

Select if you require an alert email message based on virus detection.

Virus detected

Web access blocked

Select if you require an alert email message based on blocked web sites that were accessed.

HA status changes

Select if you require an alert email message based on HA status changes.

Violation traffic detected

Select if you require an alert email message based on violated traffic that is detected by the Fortinet unit.

Firewall authentication failure

Select if you require an alert email message based on firewall authentication failures.

SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed.

Administrator login/logout

Select if you require an alert email message based on whether administrators log in or out.

IPSec tunnel errors

L2TP/PPTP/PPPoE errors

Select if you require an alert email message based on whether there is an error in the IPSec tunnel configuration.

Select if you require an alert email message based on errors that occurred in L2TP, PPTP, or PPPoE.

Configuration changes Select if you require an alert email message based on any changes made to the FortiGate configuration.

FortiGuard license expiry time (1-100 days)

FortiGuard log quota usage

Send alert email for logs based on severity

Minimum log level

Enter the number of days before the FortiGuard license expiry time notification is sent.

Select if you require an alert email message based on the FortiGuard

Analysis server log disk quota getting full.

Select if you want to send an alert email that is based on a specified log severity, such as warning.

Select a log severity from the list. For more information about log

severity levels, see “Log severity levels” on page 29

.

Note: The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the Fortinet unit combines the messages and sends out one alert email.

Viewing quarantined files

You can view quarantined files from Log&Report > Quarantine Files. You can also search through these files to find a specific quarantined file, or filter the information you are currently viewing.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

35

Viewing quarantined files

For more information about quarantined files, see the

UTM User Guide

.

Logging in FortiOS 4.0

36

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Explanation of log messages

FortiGate log messages

FortiGate log messages present detailed accounts of an event or activity that happened on your network recorded by the FortiGate unit. These log messages provide valuable information about your network that inform you about attacks, misuse and abuse, and traffic activity.

The following information provides explanations for each type of log message in FortiOS

4.0 MR1.

If you require more information about FortiGate log messages than this technical note provides, see the

FortiGate Log Message Reference

on the Technical Documentation web site.

This chapter contains the following sections:

Explanation of log messages

Traffic log messages

Event log messages

DLP Archive logs

Antivirus log messages

WebFilter log messages

Attack log messages

Antispam log messages

DLP log message

Application control log message

Explanation of log messages

The following log messages are explained in detail and are all recorded in FortiOS

4.0 MR1. Each field of each log message is clearly outlined and explained. If you need additional information about specific log messages, see the

FortiGate Log Message

Reference

.

Before proceeding, you should be aware of the two parts that make up a log message: the header and the body. The header is the beginning part of a log message and includes key information about that specific log message, such as the date and time of when it was recorded.

The following is an example of a log header:

2009-07-10 12:55:06 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0021010001 type=traffic subtype=allowed pri=notice vd=root fwver=041000

The rest of the log message is the log body, which includes the log message. The log message body contains specific information for that specific log type and subtype.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

37

Traffic log messages FortiGate log messages

Traffic log messages

The Traffic log message records all traffic to and through the interfaces on the FortiGate unit. The following is an example of a traffic log message.

2009-06-22 09:24:55 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0021010001 type=traffic subtype=allowed pri=notice vd=root fwver=041000 SN=613874 duration=120 carrier_ep=N/A user=admin1 group=admingroup policyid=1 proto=6 service=80/tcp app_type=N/A status=accept src=172.16.135.25 srcname=172.16.135.25 dst=172.16.25.125 dstname=172.16.25.125 src_int=”internal” dst_int=”wan1” sent=825 rcvd=4451 sent_pkt=8 rcvd_pkt=6 src_port=2504 dst_port=80 vpn=”N/A” tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop

date=(2009-06-22) time=(09:24:55) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyy-mmdd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(0021010001) type=(traffic) subtype=(allowed) pri=(notice) vd=(root) fwver=(041000)

SN=(613874) duration=(120) carrier_ep=(N/A) user=(admin1) group=(admingroup) policyid=(1)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message id.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. There are six severity levels to

specify. For more information, see “Log severity levels” on page 29

.

The virtual domain where the traffic was logged. In this example, it is the root virtual domain.

The firmware version that was running when the log message was recorded.

The session number of the log message.

This represents the value in seconds.

The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A.

The name of the user creating the traffic.

The name of the group creating the traffic.

The ID number of the firewall policy that applies to the session or packet.

Any policy that is automatically added by the FortiGate will have an index number of zero. For more information, see the Fortinet

Knowledge Base article, Firewall policy=0 .

38

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Traffic log messages

proto=(6) service=(80/tcp) app_type=(N/A) status=(accept) src=(172.16.135.25) srcname=

(172.16.135.25) dst=(172.16.25.125) dstname=

(172.16.25.125) src_ int= (internal) dst_ int=(wan1) sent=(825) rcvd=(4451) sent_ pckt=(8) rcvd_pckt=(6) src_ port=(2504) dst_ port=(80) vpn=(N/A) tran_ip=(0.0.0.0) tran_port=(0) dir_disp=(org) tran_disp=(noop)

The protocol that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol.

Protocol number’s are assigned by the Internet Assigned Number

Authority (IANA).

The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the firewall policy.

The application or program used. If there was no program used to create the traffic, then it is empty and displays N/A. The following are application types:

• BitTorrent

• eDonkey

• Gnutella

• KaZaa

• Skype

• WinNY

• AIM

• ICQ

• MSN

• Yahoo!

The status can be either deny or accept depending on the applicable firewall policy.

The source IP address.

The source name or the IP address.

The destination IP address.

The destination name or IP address.

The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is “unknown”.

The interface where the through traffic goes to the public or

Internet. For incoming traffic to the firewall, it is “unknown”.

The total number of bytes sent.

The total number of bytes received.

The total number of packets sent during the session.

The total number of packets received during the session.

The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.

The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.

The name of the VPN tunnel used by the traffic.

The translated IP in NAT mode. For transparent mode, it is

“0.0.0.0”.

The translated port number in NAT mode. For transparent mode, it is zero (0).

The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a different direction is taken from the master session.

The packet is source NAT translated or destination NAT translated.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

39

Event log messages FortiGate log messages

Event log messages

The Event log message records all event activity. The following is an example of an event log message that recorded an admin user adding a firewall policy.

2009-06-30 04:15:22 devname=devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0104032120 type=event subtype=admin pri=notice vd=root fwver=041000 user=admin ui=GUI(172.16.24.144) name=”admin” msg=”Administrator admin edited the settings of administrator admin from

GUI(172.16.24.144)”

date=(2009-06-30) time=(04:15:22) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyymm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(0104032120) type=(event) subtype=(admin) pri=(notice) vd=(root) fwver=(041000) user=(“admin”) ui=[GUI (172.16. 34.144)] name=(“admin”) msg=(“Administrator admin edited the settings of administrator admin from GUI

(172.16.24.144)”)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message id.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. There are six severity levels to

specify. For more information, see “Log severity levels” on page 29 .

The virtual domain where the traffic was logged.

The firmware version that was running when the log message was recorded.

The user’s admin profile, usually an administration user. In this example, the admin administrator changed the banned word.

The interface where this particular event occurred, along with the IP address of that interface. The ui field includes GUI, CLI, console, and LCD.

The user who created the traffic.

Explains the activity or event that the FortiGate unit recorded.

In this example, an administrator edited the settings of the administrator admin from the web-based manager.

40

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages DLP Archive logs

DLP Archive logs

The DLP Archive log message provides information concerning logs that are archived on the FortiAnalyzer unit.

The following is an example of a DLP archive web log message:

2009-07-10 11:19:36 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0624000000 type=contentlog subtype=HTTP pri=information vd=root fwver=041000 SN=613874 user=user1 group=usergroup carrier_ep=N/A cat=N/A cat_desc=N/A

3:240060590:0:172.16.25.142<->172.25.124.133:clean:401/4203:

GET 172.25.124.133/favicon.ico

date=(2009-07-10) time (11:19:36) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyy-mmdd format.

The hour, minute and second of when the DLP archive logged the email event.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGTFGT50B3G06500085) log_id=

(0624000000) log_type=

(contentlog) subtype=(HTTP) pri=(information) vd=(root) fwver=(041000)

SN=(613874) user=(“user1”) group=(“usergroup”) carrier_ep=(N/A) cat=(N/A) cat_desc=(N/A) content log version: (3) timestamp: (240060590) serial number: (0) client IP:(172.16.25.142) server IP:

(172.25.124.133)

A number identifying the log message. In the above example, 06 identifies the log as the DLP archive log and 24 identifies the DLP archive log as a web archive log message.

The type of log. The log types are traffic, event, attack, antivirus, web filter, and spam filter.

The subtype of the DLP archive. In this example, it is web because the subtype is HTTP.

The severity or priority level of the event. For more information, see

“Log severity levels” on page 29

.

The virtual domain where the traffic was logged.

The firmware version that was running when the log message was recorded.

The session number of the log message.

The name of the user creating the traffic.

The name of the group creating the traffic.

The FortiOS Carrier end-point identification. For example, it displays the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always display N/A.

The FortiGuard web site category number.

The name of the FortiGuard web site category.

The content log version number.

The time of the recorded DLP archive log.

The session number of the DLP archive log.

The IP address of the client server.

The IP address of the server where the mail came from.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

41

DLP Archive logs FortiGate log messages

HTTP status: (clean)

Indicates the status of the HTTP content. This can be any one of the following:

• clean

• infected

• heuristic

• banned_word

• blocked

• exempt

• oversize

number of bytes from client:

(401)

The number of bytes that were received from the client.

The number of bytes that were received from the server.

number of bytes from server: (4203)

HTTP command: (GET) url=

(172.25.124.133/favicon.ico)

The type of HTTP command used. In this example, it was the GET command.

The URL address of the web site that was accessed.

42

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Antivirus log messages

Antivirus log messages

The Antivirus log records virus incidents in Web, FTP, and email traffic. The following is an example of an antivirus log message.

2009-07-26 02:25:01 devname=FGT50B3G06500085 device_id=FGT50B06500085 log_id=0213066000 type=virus subtype=oversize pri=notice vd=root fwver=041000 policyid=1 serial=110961 user=“user23” group=“admingroup” src=172.16.22.122 sport=1254 src_int=“port1” dst=10.10.25.1 dport=80 dst_int=”wan1” profile=“Profile_Office” service=“http” agent=“n/a” status=“passthrough” url=“http://172.16.25.124/finance/finance_headquarters/headqua rters_pic1.png” ref=“n/a” msg=“File exceeds size limit.”

date=(2009-07-26) time=(02:25:01) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyy-mmdd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(0213066000) type=(virus) subtype=(oversize) pri=(notice) vd=(root) fwver=(041000) policyid=(1) serial=(110961) user=(“user23”) group=(“admingroup”) src=(172.16.22.122) sport=(1254) src_int=(“port1”) dst=(10.10.25.1) dport=(80) dst_int=(“wan1”) profile=(“Profile_Office”)

A ten-digit number. The first two digits represent the log type and the following two digits represents the log subtype. The last five digits are the message ID.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. For more information, see “Log severity levels” on page 29 .

The virtual domain where the event originated from.

The firmware version that was running when the log message was recorded.

The firewall policy identification number.

The serial number of the log.

The name of the user creating the traffic.

The name of the group creating the traffic.

The source IP address.

The source port of where the traffic is originating from.

The interface of the source. In this example, the source interface is the internal interface of the FortiGate unit.

The destination IP address.

The destination port of where the traffic is going to.

The interface of the destination. In this example, the destination interface is the external interface of the FortiGate unit.

The protection profile associated with the firewall policy that traffic used when the log message was recorded.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

43

Antivirus log messages FortiGate log messages

service=(“http”) agent=(“n/a”)

The service of where the activity or event occurred, whether it was on a web page using HTTP or HTTPs. The service field can have the protocols HTTP, FTP or SMTP.

This field is for FortiGate units running FortiOS Carrier. If you do not have FortiOS Carrier running on your FortiGate unit, this field always displays N/A.

The action the FortiGate unit took when the event occurred.

The URL address of where the file was acquired.

status=(“passthrough”) url=

(“http://172.16.25.127/financ e/finance_headquarters/ headquarters_pic1.png”) ref=(“n/a”) msg=

(“File exceeds size limit.”)

The URL reference that gives more information about the virus. If you enter the URL in your web browser’s address bar, the URL directs you to the specific page that contains information about the virus.

Explains the activity or event that the FortiGate unit recorded. In this example, the file that was downloaded from the web site exceeded the specified size limit.

44

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages WebFilter log messages

WebFilter log messages

The Webfilter log messages record HTTP FortiGate log rating errors, including web content blocking actions that the FortiGate unit performs. The following is an example of a

Web filter log message.

2009-07-15 11:56:04 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0315093003 type=webfilter subtype=urlfilter pri=information vd=root fwver=041000 policyid=4 serial=613044 user=”user23” group=”admingroup” src=172.16.22.122 sport=2364 src_int=”internal” dst=”10.10.30.120” dport=80 dst_int=”wan2” service=”http” hostname=”a.example.com” profile=”ProtectionProfile_1” status=exempted req_type=”referral” url=”example1.example.com” msg=”URL was exempted because it is in the URL filter list”

date=(2009-07-15) time=(11:56:04) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyymm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(0315093003) type=(webfilter) subtype=(urlfilter) pri=(information) vd=(root) fwver=(041000) policyid=(4) serial=(613044) user=(“user23”) group=(“admingroup”) src=(172.16.22.122) sport=(2364) src_int=(“internal”) dst=(10.10.30.120) dport=(80) dst_int=(“wan2”) service=(“http”)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message ID.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. For more information, see

“Log severity levels” on page 29

.

The virtual domain where the event was logged.

The firmware version that was running when the log message was recorded.

The firewall policy identification number.

The serial number of the log ID.

The name of the user creating the traffic.

The group name of the user creating the traffic.

The source IP address.

The source port number.

The name of the source interface. In this example, the source interface is the internal interface of the FortiGate unit.

The destination IP address.

The destination port number.

The name of the destination interface. In this example, the destination interface is the external interface of the FortiGate unit.

The service of where the event or activity occurred.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

45

WebFilter log messages FortiGate log messages

hostname=

(“a.example.com”) profile=

(“ProtectionProfile_1”) status=(exempted)

The name of the web site accessed.

The protection profile that was used with the firewall policy.

req_type=(“referral”)

The status of the action taken when the event occurred. In this example, the URL was exempted.

The type of request, which can be one of the following:

referral – If the HTTP transaction is requested from a parent web site such as selecting a link on a web page.

direct – a direct connection to a web page, such as typing in the URL address manually.

The URL of the web site.

url=

(“example1.example.com”) msg=(“URL was exempted because it is in the URL filter list.”)

Explains the activity or event that the FortiGate unit recorded. In this example, the URL is exempted since that URL is specified as exempt in the URL filter list.

46

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Attack log messages

Attack log messages

The Attack log messages record all attacks that occur against your network. These log messages also contain links to the Fortinet Vulnerability Encyclopedia where you can better assess the attack. When viewing these log messages from Log&Report > Remote, you can view the packet log that is associated with an attack log message.

The following is an example of an attack log message.

2009-07-22 19:02:11 dev_name=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=04190700000 type=ips subtype=signature pri=alert vd=root fwver=041000 policyid=2 serial=581265 attack_id=13707 severity=high carrier_ep=N/A profile=N/A sensor=”all_default_pass” src=172.16.22.122 dst=10.10.20.10 src_port=52903 dst_port=139 src_int=”wan1” dst_int=”internal” status=detected proto=6 service=139/tcp user=user55 group=usergroup_1 ref=”http://www.fortinet.com/ids/VID13707” count=1 incident_serialno=86324148 msg=”netbios:

MS.Network.Share.Provider.Unchecked.Buffer.DoS”

date=(2009-07-22) time=(19:02:11)

The year, month and day of when the event occurred in yyyy-mm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

devname=(FGT50B3G06500085)

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the

System Information widget.

device_id=(FGT50B3G06500085)

The serial number of the FortiGate unit.

log_id=(0419070000)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message ID.

type=(ips) subtype=(signature) pri=(alert)

The part of the system where the event occurred.

The subtype of the log message.

The severity level of the event. For more information, see

“Log severity levels” on page 29

.

vd=(root) fwver=(041000) policyid=(2) serial=(581265) attack_id=(12707)

The virtual domain where the event was logged.

The firmware version that was running when the log message was recorded.

The firewall policy identification number.

The serial number of the log message.

The identification number of the attack log message.

severity=(high) carrier_ep=(N/A) profile=(N/A) sensor=(“all_default_pass”) src=(172.16.22.122)

The specified severity level of the attack.

The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always display N/A.

The protection profile associated with the firewall policy that traffic used when the log message was recorded.

The DLP sensor that was used.

The source IP address.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

47

Attack log messages FortiGate log messages

dst=(10.10.20.10) src_port=(52903) dst_port=(139) src_int=(“wan1”) dst_int=("internal”) status=(detected) proto=(6) service=(139/tcp) user=(user55) group=(usergroup_1) ref=(“http://www.fortinet.com/ids/

VID13707”) count=(1) incident_serialno=(86324148) msg=

(“netbios:MS.Network.Share.

Provider.Unchecked.Buffer.DoS”)

The destination IP address.

The source port number.

The destination port number.

The name of the source interface.

The name of the destination interface.

The status of the action the FortiGate unit took when the event occurred. In this example, the FortiGate unit detected an attack.

The protocol of the event.

The service of where the event or activity occurred.

The name of the user creating the traffic.

The name of the group creating the traffic.

The reference URL of where to find more information about the attack.

The number of times that attack was detected within a short period of time. This is useful when the attacks are DoS attacks.

The unique ID for this attack. This number is used for crossreferencing IPS packet logs.

Explains the activity or event that the FortiGate unit recorded. In this example, an attack occurred that could have caused a system crash.

48

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Antispam log messages

Antispam log messages

The antispam log messages record blocking of email address patterns and content in

SMTP, IMAP and POP3 traffic. The following is an example of an antispam log message.

2009-06-20 10:19:04 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0509083003 type=emailfilter subtype=pop3 pri=notice vd=root fwver=041000 policyid=1 serial=511989 user=”N/A” group=”N/A” src=172.16.130.25 sport=1874 src_int=”internal” dst=192.168.39.8 dport=110 dst_int=”wan2” service=”pop3” profile=“Profile_1” status=”detected” from=”[email protected]” to=”[email protected]” msg=”from email address is in email blacklist.(no.4 pattern matched)”

date=(2009-06-20) time=(10:19:04) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyy-mm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(0509083003) type=(emailfilter) subtype=(pop3) pri=(notice) vd=(root) fwver=(041000) policyid=(1) serial=(511989) user=(“N/A”) group=(“N/A”) src=(172.16.130.25) sport=(1874) src_int=(“internal”) dst=(192.168.39.8) dport=(“110”) dst_int=(“wan2”) service=(“pop3”) profile=(“Profile_1”) status=(“detected”)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message id.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. For more information, see “Log severity levels” on page 29 .

The virtual domain where the event was logged.

The firmware version that was running when the log message was recorded.

The firewall policy identification number.

The serial number of the log.

The name of the user creating the traffic.

The name of the group creating the traffic.

The source IP address.

The source port.

The name of the source interface.

The destination IP address.

The destination port.

The name of the destination interface.

The service of where the event or activity occurred.

The protection profile associated with the firewall policy that traffic used when the log message was recorded.

The action the FortiGate unit took when the attack occurred.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

49

Antispam log messages FortiGate log messages

from=

(“[email protected]”) to=

(“[email protected]”) msg=[“from email address is in email blacklist. (no.4 pattern matched”)]

The sender’s email address.

The receiver’s email address.

Explains the activity or event that the FortiGate unit recorded.

In this example, the sender’s email address is in the blacklist and matches the fourth email address in that list.

50

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages DLP log message

DLP log message

The Data Leak Prevention log messages record events that may be either leaking out from or entering your network.

The following is an example of a data leak prevention log message.

2009-07-15 12:22:36 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=0954110000 type=dlp subtype=dlp pri=notice vd=root fwver=041000 policyid=1 serial=613874 user=”user1” group=”admingroup” src=172.16.20.144 sport=2504 src_int=”internal” dst=172.16.152.255 dport=80 dst_int=”wan2” service=”http” status=”detected” hostname=”172.16.152.255” url=”example.com” from=”[email protected]” to=”[email protected]” msg=”data leak detected(Data Leak Prevention Rule matched)” rulename=”All-HTTP” action=”log-only” severity=”1”

date=(2009-07-15) time=(12:22:36)

The year, month and day of when the event occurred in yyyy-mm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

devname=(FGT50B3G06500085) The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the System

Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(095411000) type=(dlp) subtype=(dlp) pri=(notice) vd=(root) fwver=(041000)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last five digits are the message id.

The section of system where the event occurred.

The subtype of the log message.

The severity level of the event. For more information, see “Log severity levels” on page 29

.

The virtual domain where the event was logged.

policyid=(1) serial=(613874) user=(“user1”) group=(“admingroup”) src=(172.16.20.144) sport=(2504) src_int=(“internal”) dst=(172.16.152.255) dport=(80) dst_int=(“wan2”) service=(“http”) status=(“detected”) hostname=(“172.16.152.255”)

The firmware version that was running when the log message was recorded.

The firewall policy identification number.

The serial number of the log.

The name of the user creating the traffic.

The name of the user group creating the traffic.

The source IP address.

The source port.

The name of the source interface.

The destination IP address.

The destination port.

The name of the destination interface.

The service of where the event or activity occurred.

The action the FortiGate unit took when the attack occurred.

The host name. In this example it is an IP address.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

51

DLP log message FortiGate log messages

url=(“example.com”) from=

(“[email protected]”)

The URL address of the web site that was visited.

The sender’s email address.

to=

(“[email protected]”) msg=[“(data leak detected (Data

Leak Prevention Rule matched”)] rulename=(“All-HTTP”) action=(“log-only”) severity=(“1”)

The receiver’s email address.

Explains the activity or event that the FortiGate unit recorded.

In this example, the data leak that was detected match the rule, All-HTTP, in the DLP sensor.

The name of the rule within the DLP sensor.

The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only.

The level of severity for the specified rule.

52

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Application control log message

Application control log message

The application control log messages records IM, P2P and VoIP activity. This log file also records some IPS activities.

The following is an example of an application control log message.

2009-07-13 13:55:23 devname=FGT50B3G06500085 device_id=FGT50B3G06500085 log_id=1059116020 type=app-crtl subtyp=app-crtl-all pri=notice vd=root fwver=041000 user=”user23” group=”admingroup” carrier_ep=”N/A” kind=N/A profile=”N/A” dir=N/A src=172.16.23.99 src_port=443 src_int=”wan1” dst=10.10.20.1 dst_port=2524 dst_int=”internal” src_name=”172.16.23.99” dst_name=”10.10.20.1” proto=6 service=”2524/tcp” policyid=1 serial=613935 app_list=”App_1” app_type=”N/A” app=”Unknown Application” action=pass count=1 msg=”:Unknown Application”

date=(2009-07-13) time=(13:55:23) devname=

(FGT50B3G06500085)

The year, month and day of when the event occurred in yyyy-mm-dd format.

The hour, minute and second of when the event occurred in the format hh:mm:ss.

The name of the FortiGate unit. The name is either the default name (FGT<serial_number>) or the name given by an administrator. The name that appears in this field is the name that appears in Host Name in System > Status in the

System Information widget.

The serial number of the FortiGate unit.

device_id=

(FGT50B3G06500085) log_id=(1059116020) type=(app-crtl) subtype=(app-crtl-all) pri=(notice) vd=(root) fwver=(041000) user=(“user23”) group=(“admingroup”) carrier_ep=(“N/A”)

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype.

The last five digits are the message id.

The section of system where the event occurred.

The subtype of the log message. This represents a policy applied to the FortiGate feature in the firewall policy.

The severity level of the event. For more information, see

“Log severity levels” on page 29 .

The virtual domain where the event was logged.

The firmware version that was running when the log message was recorded.

The name of the user creating the traffic.

The name of the group creating the traffic.

The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always display N/A.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

53

Application control log message

54

FortiGate log messages

kind=(N/A) profile=(“N/A”) dir=(N/A) src=(172.16.23.99) sport=(443) src_int=(“wan1”) dst=(10.10.20.1) dport=(2524) dst_int=(“internal”) src_name=(“172.16.23.99”) dst_name=(“10.10.20.1”) proto=(6) service=(“2524/tcp”) policyid=(1) serial=(613935) app_list=(“App_1”) app_type=(“N/A”) app=(“Unknown Application”) action=(pass) count=(1) msg=(:Unknown Application”)

The type of operation which triggered the action. This can be any one of the following:

• login

• chat

• file

• photo

• audio

• call

• regist

• unregister

• call-block

• request

• response

The protection profile associated with the firewall policy that traffic used when the log message was recorded.

The direction of the traffic that triggered the action, which can be incoming, outgoing, N/A, or unknown.

The source IP address.

The source port.

The name of the source interface.

The destination IP address.

The destination port.

The name of the destination interface.

The name of the source.

The name of the destination.

The protocol that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the

Internet Assigned Number Authority (IANA).

The service of where the event or activity occurred.

The firewall policy identification number.

The session number of the application control log message. same as dlp

The name of the application control list that triggered the action.

The type of application that triggered the action within the control list.

The name of the application that triggered the action within the control list.

The action that was taken by the application control engine.

This can be any one of the following:

• pass

• block

• monitor

• kickout

• encrypt-kickout

• reject

• unknown

The number of times the same event was detected within a short period of time.

Explains the activity or event that the FortiGate unit recorded. In this example, the application control list App_1 detected an unknown application.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

FortiGate log messages Application control log message

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

55

Application control log message FortiGate log messages

56

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring reports in FortiOS 4.0 Configuring reports

Configuring reports in FortiOS 4.0

You can configure a variety of reports in FortiOS 4.0 and higher. Reports help you to better analyze the activity that is occurring on your network by using graphs or tables. In FortiOS

4.0 MR1, you can configure reports from logs stored on an SQL database.

This chapter contains the following sections:

Configuring reports

Viewing FortiAnalyzer reports

Note: You can configure reports from logs stored on a FortiAnalyzer unit, FortiGate system memory, or an SQL database. Configuring reports from other log devices, such as a Syslog server, are not supported.

Configuring reports

A report is a collection of log information, which is then displayed in the report in the form of text, graphs and tables. This provides a clear, concise overview of the activities on your network without manually going through large amounts of log messages.

If you have configured logging to a FortiAnalyzer unit, you will only be able to configure a report schedule on the FortiGate side. You need to verify with the FortiAnalyzer administrator that a report layout is available for you to use with the report schedule; a report schedule requires a report layout.

If you have configured logging to an SQL database, you can configure report widgets which are very similar to the Top Viruses or Traffic History widgets that display on System

> Dashboard. You cannot customize the type of graph or table that appears in the report widget.

Configuring basic traffic reports (FortiGate system memory only)

If a FortiGate unit is collecting logs in its system memory, you can configure and then view a basic traffic report in Log & Report > Report Access > Memory. These reports get log information from various system memory logs, such as VoIP and accessed web sites.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

57

Configuring reports Configuring reports in FortiOS 4.0

Figure 4: A basic traffic report displaying only Browsing, DNS and Email log information over the last three days

When you go to the Memory page, there are two reports that appear on the page,

Bandwidth Protocols and Top Protocols Ordered by Total Volume. The first report,

Bandwidth Protocols, is the report that you can configure. The second report, Top

Protocols Ordered by Total Volume, displays traffic volume and does not update when you configure Bandwidth Protocols report. When you go to another page in the web-based manager, the settings on the Memory page go back to default; the basic traffic report that you configured is not saved on the FortiGate unit’s system memory.

To configure a basic traffic report, go to Log&Report > Report Access > Memory, and select a time period from the Time Period list. Select the check boxes beside the options

(such as Email) that you do not want included in the graph, and then select Apply.

58

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring reports in FortiOS 4.0

Figure 5: Default basic report on the Memory page

Configuring reports

Time Period

Services

Select a time range to view for the graphical analysis. You can choose from one day, three days, one week, or one month. The default day is 1 day. When you refresh your browser or go to different menu, the settings revert back to default.

By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Clear the check boxes beside the services you do not want to include in the graphical analysis:

• Browsing

• DNS

• Email

• FTP

• Gaming

• Instant Messaging

• Newsgroups

• P2P

• Streaming

• TFTP

• VoIP

• Generic TCP

• Generic UDP

• Generic ICMP

• Generic IP

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

59

Configuring reports Configuring reports in FortiOS 4.0

Bandwidth Per

Service

Top Protocols

Ordered by Total

Volume

This bar graph is based on what services you select, and is updated when you select Apply. The graph is based on date and time, which is the current date and time.

This bar graph displays the traffic volume for various protocols, in decreasing order of volume. The bar graph does not update when you select different Services and then select Apply.

Note: The date used to present the information for the basic traffic report is erased when the FortiGate unit is reset or rebooted.

Configuring FortiAnalyzer reports

FortiAnalyzer reports are configured on a FortiAnalyzer unit; however, you can configure a report schedule from the FortiGate unit in Log&Report > Report Config > Schedule. You need to have a report layout when configuring a report schedule. Report layouts are configured only on the FortiAnalyzer unit.

If you want to configure a report schedule based on another report schedule, you can clone the report schedule. Cloning a report schedule produces a duplicate of the original and then editing that duplicate to create a new schedule.

To configure a report schedule, go to Log&Report > Report Config > Schedule, select

Create New, and enter the information needed for that report schedule. The report schedule may take some time, depending on the amount of log data needed and if there are other reports being generated on the FortiAnalyzer unit.

To clone a report schedule, go to Log&Report > Report Config > Schedule, select Clone in the same row of the report schedule that will be the basis of the new report schedule, and then rename it. For example, CloneOfFGT_50B. Enter the information for that schedule and then select OK.

60

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring reports in FortiOS 4.0

Figure 6: Configuring a report schedule

Configuring reports

Delete

Edit

Clone

General report schedule settings

Create New

Select to create a new report schedule.

Name

Description

The name of the report schedule.

A comment or note that describes that report schedule. This is optional.

Report Layout

Schedule

The report layout that will be used when the report is generated.

The time period specified for when the report is generated. For example, the report schedule report_june will be generated only once.

Configuration settings for report schedule

Name

Description

Report Layout

Language

Schedule

Once

Daily

Weekly

Monthly

Enter a name for the schedule.

Enter a description for the schedule. This is optional.

Select a configured report layout from the list. You must apply a report layout to a report schedule.

Select a language from the list.

Select one of the following to have the report generate only once, daily, weekly, or monthly at a specified date or time period.

Select to have the report generated only once.

Select to generate the report on every day of the week at the same time.

Select the time from the hour list and minute list in Time.

Select to generate the report on specified days of the week. Select the check box beside each day of the week or a day of the week you want the report to generate on. Select the time from the hour list and minute list in Time.

Select to generate the report on a monthly basis. Enter the date range in the field provided; for example, if you wanted the report to generate on the 1st day of the month and the 15th day of the month, enter 1, 15.

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

61

Configuring reports Configuring reports in FortiOS 4.0

Log Data Filtering

You can specify the variables that were selected in the charts when the report layout (that you are using for this report schedule) was configured.

Virtual Domain

Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. If you want to include multiple virtual domains, use a comma between each.

User

Select to create a report based on a network user. Enter the user or users, separated by a comma, in the field.

Group

Time Period

Output

Select to create a report based on a group of network users, that are defined locally. Enter the name of the group or groups, separated by a comma, in the field.

The time period of what

• Relative to report run-time – select to specify the time period of the log files that will be used for the report.

• Specify – specify the start and end dates (year, date, month and time period) of the log files that will be used for the report.

Select the check box beside the type of file format that you want the report to be in when it is generated. You can choose from PDF, MS Word, Text (TXT), and MHT.

Configuring SQL database reports

If you have configured logging to a FortiGate unit’s SQL database, you can create reports from those logs. SQL database reports appear on the Execute Summary page and are represented as widgets. You cannot customize the type of chart, such as bar or pie, but you can customize what column the widget displays in, such as the second column.

Figure 7: Adding a report widget to the Execute Summary page

62

+ Add Widget

Widgets

Schedule

Daily

Weekly

Display Column

Select to add a report widget to the Execute Summary page. You can only add one report widget at a time.

The list of available reports widgets.

The type of time period used.

• If you select Daily, you need to configure the hour that the report widget will gather the information and generate the output on.

• If you select Weekly, you need to configure the day of the week and the hour that the report widget will gather the information and generate the output on.

Select to configure the hour of when the report widget will generate the output. Hours are in the 24-hour format.

Select to configure the day of the week and the hour of the day that will generate output on. Hours are in the 24-hour format.

Select one of the following to customize which column contains the information:

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Configuring reports in FortiOS 4.0 Viewing FortiAnalyzer reports

First Column

Second Column

The widget will display in the first column, which is located on the left side of the page beside the menus. By default, the first column is selected.

Select to have the widget display in the second column, on the right side of the page.

To configure an SQL database report

1 Go to Log&Report > Report Access > Execute Summary.

2 Select + Add Widget.

3 In Add New Widgets to Report Summary, select a report widget from the Widgets list.

Certain report widgets only display a table and others only display a graph. You cannot customize the type of graph that displays.

4 Select OK.

The report widget appears on the Execute Summary page.

5 Repeat steps 2 to 4 until all of the report widgets that you need on the Executive

Summary page are configured.

Viewing FortiAnalyzer reports

After the FortiAnalyzer unit generates the report, it appears on the Report Access page.

All reports are listed on the page, including the rolled reports. A list displays the generated report schedules as well as other reports that the FortiAnalyzer unit generated.

From the Report Access page, you can also print a generated FortiAnalyzer report. You may want to print the report to have as hardcopy reference or for a presentation.

To view reports, go to Log&Report > Report Access and select a report name in the

Report Files column. You can also select the Expand Arrow to view the rolled reports within the report. After viewing the report, select Historical Reports to return to the list.

To print off a report, go to Log&Report > Report Access, select the report you want printed from the list and then select Print.

Figure 8: Browsing historical reports on the Report Access page

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

63

Viewing FortiAnalyzer reports Configuring reports in FortiOS 4.0

64

Logging and reporting in FortiOS 4.0 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

Index

Index

A

adding configuring defining alert email message antivirus logging application control attack logging

,

32

,

,

31

34

,

22

basic traffic reports (system memory)

CLI command syntax connecting using automatic discovery, FortiAnalyzer data leak prevention logging data types in angled brackets dlp archiving event logging explanation of log messages firewall policy traffic logging

FortiAnalyzer reports

FortiAnalyzer unit hard disk log messages log severity levels

,

29

log types and subtypes logging

,

,

13

20

,

,

37

logging practices

23

,

,

,

13

20

,

,

21

32

23

,

10

60

,

27

multiple FortiAnalyzer units multiple syslog servers sql database

,

,

,

,

32

33

30

spam filter logging

21

, sql database reports syslog server

,

,

33

,

62

25

,

,

,

,

31

,

37

30

24

10

system memory testing FortiAnalyzer configuration web filter logging webtrends server

,

22

,

57

,

22

C

CIDR

,

10

comments, documentation

,

12

configuring alert email message

FortiAnalyzer reports

,

basic traffic reports (system memory)

,

34

60

multiple FortiAnalyzer units multiple syslog servers sql database reports

,

57

customer service

,

11

,

,

62

25

,

24

connecting using automatic discovery, FortiAnalyzer

,

22

D

devices

FortiAnalyzer unit netiq webtrends sql database syslog server system memory

,

15

FortiGuard Analysis server local disk, amc disks

,

,

15

,

16

,

16

14

,

15

,

15

documentation commenting on

Fortinet

,

12

dotted decimal

,

10

,

12

F

FortiAnalyzer unit

,

15

FortiGate documentation commenting on

,

12

FortiGate features, logging

,

14

FortiGuard

Antivirus services

,

11

,

11

FortiGuard Analysis server

,

15

,

22

Fortinet

Technical Support

,

11

Fortinet documentation

,

12

Fortinet Knowledge Center

,

12

fully qualified domain name (FQDN)

,

10

I

introduction

Fortinet documentation

,

12

IP address private network

,

8

L

local disk, amc disks

,

15

log backup solutions

FortiAnalyzer unit

,

17

hard disks and amc disks netiq webtrends server syslog server

,

16

,

17

sql database syslog server

,

17

log devices

FortiAnalyzer unit

FortiGuard Analysis server local disk, amc disks netiq webtrends server

,

,

15

16

system memory

,

15

,

15

,

16

,

15

log messages antispam antivirus application control attack dlp

,

51

dlp archive event traffic

,

,

,

webfilter

,

47

40

38

,

,

49

43

,

41

45

,

14

,

53

log types and subtypes logging features

,

14

,

27

N

netiq webtrends server

,

16

Logging and reporting in FortiOS 4.0 Version 4.0 MR1 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

65

Index

P

product registration

,

11

Q

quarantine files

,

35

R

regular expression

,

10

reports (FortiAnalyzer)

,

60

reports (sql database)

,

62

RFC

1918

,

8

S

severity levels (logs)

,

29

sql databse

,

15

string

,

10

syslog server

,

16

system memory

,

14

T

technical support

,

11

testing FortiAnalyzer configuration

,

22

V

value parse error

,

10

viewing quarantine files

,

35

W

wild cards

,

10

Logging and reporting in FortiOS 4.0 Version 4.0 MR1 User Guide

01-410-82625-20090824

http://docs.fortinet.com/

Feedback

66

www.fortinet.com

www.fortinet.com

advertisement

Key Features

  • Logging to system memory
  • Logging to hard disk
  • Logging to FortiAnalyzer
  • Logging to FortiGuard Analysis server
  • Logging to Syslog server
  • Logging to NetIQ WebTrends server
  • Logging to multiple FortiAnalyzer units or Syslog servers

Frequently Answers and Questions

How do I configure logging to FortiGate system memory?
Go to Log&Report > Log Config > Log Setting. Expand Local Logging & Archiving. Select the check box beside Memory. Select a log level from the Minimum log level list. Select Apply.
How do I configure logging to FortiGate hard disk?
Go to Log&Report > Log Config > Log Settings. Expand Remote Logging & Archiving to reveal the available options. Select the check box beside for Buffer to hard disk and upload. To log to an AMC hard disk, select the check box beside Log to AMC Hard Disk & Upload to FortiAnalyzer.
What is the difference between logging to the FortiGate system memory and the FortiGate hard disk?
The FortiGate system memory has a limited capacity for log messages. The system memory displays recent log entries and stores most log types except traffic and content logs. The FortiGate system memory cannot store traffic and content logs because of their size and frequency of log entries. When the system memory is full, the FortiGate unit overwrites the oldest messages. All log entries stored in system memory are cleared when the FortiGate unit restarts. If your FortiGate unit contains a hard disk, you can configure the FortiGate unit to store logs on the disk.
How do I configure logging to a FortiAnalyzer unit?
Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving to reveal the available options. Select the check box beside FortiAnalyzer. Select a log level from the Minimum log level list. Select Apply.
How do I configure logging to a FortiGuard Analysis server?
Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving to reveal the available options. Select the check box beside FortiGuard Analysis Server. Select a log level from the Minimum log level list. Select Apply.
How do I configure logging to a Syslog server?
Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving to reveal the available options. Select the check box beside Syslog Server. Select a log level from the Minimum log level list. Select Apply.
How do I configure logging to a NetIQ WebTrends server?
Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving to reveal the available options. Select the check box beside WebTrends Server. Select a log level from the Minimum log level list. Select Apply.

Related manuals

Download PDF

advertisement

Table of contents