Logging and Monitoring

Logging Workflow

• FortiGate can store logs locally. 

• Access FortiAnalyzer, check IP address on Fortigate for the Analyzer, Log & Report > Analyzer 

• Log into the FortiAnalyzer > LogView 

Types of Logs

• Traffic 

  • Forward – Contains traffic flow, allow or blocked traffic 

  • Local – Traffic to the FortiGate such as logins 

  • Sniffer 

• Events – System and administration events 

  • Endpoint 

  • High Availability 

  • General System 

  • User 

  • Router 

  • VPN 

  • SD-WAN 

  • WiFI 

  • CIFS 

  • Security Ratings 

  • SDN Connector 

• Security 

  • Application control 

  • Antivirus 

  • DNS Query 

  • File filter 

  • Web filter 

  • Intrusion Prevention 

  • Anomaly 

  • SSL 

  • SSH 

Syslog Severity Levels

• 0 – Emergency 

• 1 – Alert 

• 2 – Critical 

• 3 – Error 

• 4 – Warning 

• 5 – Notification 

• 6 – Informational 

• 7 – Debugging 

Log Format

• Contains the following information: 

  • Type – Specifies the name of the log file such as UTM 

  • Sub-type – Indicates additional info such as web filter. 

  • Level – The severity level 

  • Policy ID – Specifies the firewall policy that's applied to the session 

  • Source IP (srcip) 

  • Destination IP (dstip) 

  • Action – The action taken by the policy 

  • Message 

  • Hostname 

Log Storage 

• Log & Report > Log Settings 

• Fortigate stores logs on the FortiAnalyzer 

• To view some local logs on FortiGate, change view to memory. 

• FortigGate uses 25% for system and 75% for storing logs. 

• Disk – Logging = System Reserved space, # diagnose sys logdisk usage 

• FortiAnalyzer – For long term and dedicated storage of log data. Used for reporting. 

• FortiManager – Used to manage FortiGate appliances. 

• FortiSIEM – Unified event correlation and risk management. 

• FortiCloud – Hosted, subscription based service for long term storage. 

• To configure logging, go to Log & Report > Log Settings 

• FortiGate uses UDP port 514 for log transmission. 

• OFTPS – Encrypts logging 

Enable logging

• Enable logging on a firewall policy for a Security profile to generate log message for that profile. 

• Policy & Objects > Firewall Policy > Security Profiles 

• Always Enable "Log Allowed Traffic" 

• Log Allowed Traffic: Security Events (only security events), All Sessions (for all traffic) 

• If license is expired, the AntiVirus and IPS does not get updates but customer can access the internet. 

• However, if web filtering is enabled and the license is expired, customer will be not be able to access the internet. A workaround, enable Security Profile > Web Filtering > Rating Options > Allow websites when a rating error occurs.  

• Accessing logs, click on Log & Reporting 

• Right-click on an object within a log to create a custom filter for the specific object only. 

• Right-click on a Firewall Policy, then select Show Matching Logs to create a filter for all logs which belongs to the Firewall Policy. 

• Use commands, execute log filter and execute log display to view logs on the CLI. 

Threat Weight 

• Log & Report > Threat Weight: 

  • Risk level values: 

    • Low – 5 

    • Medium – 10 

    • High – 30  

    • Critical – 50  

• View detected Threats, Dashboard > Security