Sunteți pe pagina 1din 19

Logging and Monitoring 7 April 2014

1
2014 Fortinet Inc. All rights reserved.
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams
or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical
or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT01-02-50005-E-20131120
Logging and Monitoring
2
Module Overview
Log Severity Levels
Storage Locations
Log types and subtypes
Log Structure and Behavior
Traffic Log
Viewing Log Messages
Reading and Interpreting log messages
Alert Email
and other topics
Logging and Monitoring 7 April 2014
3
Module Objectives
By the end of this module participants will be able to:
State the Purpose of different log types on a FortiGate
Identify the storage location of log information
Navigate the relevant screens for Logging and Monitoring of a FortiGate
Read and Interpret log messages
View and search logs messages
4
Logging and Monitoring
Logging and monitoring are key
elements in maintaining devices
on the network
Monitor network and Internet traffic
Track down and pinpoint problems
Establish baselines
Logging and Monitoring 7 April 2014
5
Log Severity Levels
Administrators define what type of logs are recorded
All log messages have a severity level to help indicate how important
the event is
Emergency = System unstable
Alert = Immediate action required
Critical = Functionality affected
Error = Error exists that can affect functionality
Warning = Functionality could be affected
Notification = Information about normal events
Information = General system information
Debug = Debug log messages
6
Log Storage Locations
Syslog SNMP
Local logging
Remote logging
Memory
FortiAnalyzer
FortiManager
FortiCloud
Hard drive
Logging and Monitoring 7 April 2014
7
Log Storage Locations: FortiAnalyzer/FortiManager
Register
FortiGate
FAZ/FMG has list of Registered(allowed) devices
SSL-secured OFTP used to encrypt communications
FortiAnalyzer/FortiManager
8
FortiAnalyzer/FortiManager: Comparison
FortiManager is a dedicated device designed to Centrally Manage
multiple FortiGate devices
FortiAnalyzer is dedicated device designed for long term storage of log
data
FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily
limit on logs received
Logging and Monitoring 7 April 2014
9
FortiAnalyzer/FortiManager: Configuration
Up to 3 separate FAZ/FMG devices can be configured (CLI)
May be needed for Redundancy
Generating & sending logs requires resources
config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting
set status enable
eet server x.x.x.x
end
10
Log Storage Locations: FortiCloud
Subscription service
Long term log storage & reporting
FortiGates include 1 month free trial
Links to FortiCare user
Read any documentation on the Website!!
Logging and Monitoring 7 April 2014
11
Log Types and Subtypes
Traffic Log
Forward (Traffic passed/blocked by Firewall policies)
Local (Traffic aimed directly at, or created by the FortiGate device)
Invalid (Log messages about packets considered invalid/malformed and dropped)
Multicast (Log messages about Multicast traffic)
Event Log
System (System related events)
User (Firewall authentication events)
Router, VPN, WanOpt & Cache, Wifi
Security Log
By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)
Section is not created by default
12
Log Structure and Behavior
Logging is divided into 3 sections: Traffic Log, Event Log, Security Log
Traffic logs relate to packets to and through the device
Event logs relate to any admin and system activity events on the device
Security logs contain log messages related to profiles acting on traffic passing
through the device
Most Security events consolidated into Forward Traffic log
Less CPU intensive this way
Exceptions: DLP, Intrusion Scanning (Security Log only)
Additional log information can be obtained in some security profiles via
the CLI (Antivirus, Web Filter, Email)
extended-utm-log [disable (default) | enabled]
New log options show up (CLI only, varies depending on profile type)
Security event logs show up in Security Logs with more details
Logging and Monitoring 7 April 2014
13
Log Generation
FW Policy
Log Setting
AV,Web Filter, Email extended-utm-log Behavior
No Log Disabled N/A No Forward Traffic or Security Logs
No Log Enabled Disabled No Forward Traffic or Security Logs
No Log Enabled Enabled No Forward Traffic or Security Logs
Log Security Events Disabled N/A No Forward Traffic or Security Logs.
Log Security Events Enabled Disabled Security log events appear in Forward Traffic Log.
Forward Traffic Log generated for packets causing a
security event.
Log Security Events Enabled Enabled Security log events appear in Security Log.
Forward Traffic Log generated for packets causing a
security event.
Log all Sessions Disabled N/A Forward Traffic Log generated for every single packet.
Log all Sessions Enabled Disabled Security log events appear in Forward Traffic Log
Forward Traffic log generated for every single packet
Log all Sessions Enabled Enabled Security log events appear in Security Logs.
Forward Traffic Log generated for every single packet.
14
Viewing Log Messages(GUI)
Logging and Monitoring 7 April 2014
15
Viewing Log Messages(GUI): Adding Filters
Use Filter Settings to customize the display of log messages to
show specific information in log messages
Reduce the number of log entries that are displayed
Filters are per column, more can be added
16
Viewing Log Messages (Raw)
Fields in each log message are arranged into two groups:
Log header (common to all log messages)
date=2013-09-10 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root
Log body (varies between each kind of log)
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
Logging and Monitoring 7 April 2014
17
date=2013-09-10 time=13:00:30 logid=0100032001
type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"
Viewing Log Messages (Raw): Severity Level
Log severity level indicated in the level field of the log message
information = normal event
18
Log header
date=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=root
filteridx=0
Log body
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 .
Viewing Log Messages (Raw): Type and Subtype
typeand subtypefields = log file that message is recorded in
Logging and Monitoring 7 April 2014
19
Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
Viewing Log Messages (Raw): Policy ID
policyid = id number of firewall policy matching the session
20
Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
Viewing Log Messages (Raw): Status
status = action taken by the FortiGate unit
Logging and Monitoring 7 April 2014
21
Viewing Log Messages(CLI)
exe log display
Best to setup filters on log entries first
exe log filter
22
Alert Email
Send notification to email address upon
detection of defined event
Identify SMTP server name
Configure at least one DNS server
Up to three recipients per mail server
Logging and Monitoring 7 April 2014
23
Alert Email: Configure
Configuring Alert email is not possible until an SMTP server has been
setup.
Can be sent to up to 3 emails
24
Alert Message Console
Alert messages can be displayed on the GUI
Individual alerts can be acknowledged and removed from the list
Customizable alert options
Logging and Monitoring 7 April 2014
25
SNMP Monitoring
SNMP manager Managed device
SNMP agent Fortinet MIB
Traps received by agent sent to SNMP manager
Configure FortiGate unit interface for SNMP access
Compile and load Fortinet-supplied MIBs into SNMP
manager
Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
SNMP v1/v2
Plain Text
SNMP v3
Encrypted
26
SNMP Monitoring: Configuring
v3 offers additional security over v1/v2
Logging and Monitoring 7 April 2014
27
Configuring Log settings: GUI
28
Configuring Log settings: CLI
Different log locations have different options that need to be
configured (server location, user details, etc)
disk Hard drive (Built in non-volatile Flash on some models)
fortianalyzer|fortianalyzer2|fortianalyzer3 separate FortiAnalyzers
fortiguard- Forticloud
memory system memory (volatile)
sysologd|syslogd2|syslogd3 separate Syslog servers
webtrends Webtrends service
Logging and Monitoring 7 April 2014
29
Configuring Log settings: Firewall Policy
Firewall Policy
setting decides if a
log message is
generated or not
Log Settings
options decide
if/where any log
messages get
stored
30
Event Logging: Settings
Event logs are not directly caused by traffic passing through
any firewall policies (except User)
Logging and Monitoring 7 April 2014
31
Logging Monitor
Overall view of the number/type of logs generated
Drilldown allows for more detailed information
32
Monitor
Monitor sub-menus found in CLI for all main function menus
User-friendly display of monitored information
View activity of a specific feature being monitored
Various settings are found under config system global
gui-antivirus gui-ap-profile gui-application-control
gui-central-nat-table gui-certificates gui-client-reputation
gui-dlp gui-dns-database gui-dynamic-profile-display
gui-dynamic-routing gui-endpoint-control gui-explicit-proxy
gui-ipsec-manual-key gui-implicit-policy gui-ips
gui-icap gui-ipv6 gui-lines-per-page
gui-load-balance gui-local-in-policy gui-multicast-policy
gui-multiple-utm-profiles gui-object-tags gui-policy-interface-pairs-view
gui-replacement-message-groups gui-spamfilter gui-sslvpn-personal-bookmarks
gui-sslvpn-realms gui-utm-monitors gui-voip-profile
gui-vpn gui-vulnerability-scan gui-wanopt-cache
gui-webfilter gui-wireless-controller gui-wireless-opensecurity
Logging and Monitoring 7 April 2014
33
GUI Monitors
Example: Security Profiles Monitor
Includes all security features
AV Monitor
Recent and top virus activity
Web Monitor
Top blocked FortiGuard categories
Application Monitor
Most used applications
Intrusion Monitor
Recent attacks
FortiGuard Quota
Per user list of quota usage
34
Status Page: Custom Widgets
Many widgets can have their settings altered to display different
information
The same widget can be added multiple times to the same dashboard showing
different information
Logging and Monitoring 7 April 2014
35
Status Page: Custom Dashboards
Multiple dashboards included by default
Included widgets are setup to provide different kinds of information
Can be changed/deleted/added
Per User settings (Diashboard and widget layout is not shared between users)
36
The Crash log
Inspection of is traffic handled by processes
Any time a process closes, it is a crash
Some crashes are normal (closing scanunit to do a definition update)
diag deb crashlog read
Does not any log message data
Logging and Monitoring 7 April 2014
37
Labs
Lab 1: Status Monitor and Event Log
Ex 1: Exploring the GUI Status Monitor
Ex 2: Event Log and Logging Options
(OPTIONAL)
Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring
38
Classroom Lab Topology