DO NOT REPRINT

FORTINET

Logging & Monitoring

In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and
network traffic. Since you are implementing a security solution, it is important to know how to
appropriately monitor the devices operation. It is vital to have logging and monitoring configured
properly and to know how to read the output. Otherwise if you encounter issues, you wont have any
messages from FortiGate to help you find out what is happening in your network.

DO NOT REPRINT
FORTINET

By the end of this lesson, youll be able to:

Describe log severity levels
Identify where logs are stored
Describe the different types of logs
Understand log structure and behavior
Configure log settings
Understand the impact of logs on resources
Describe how to view log messages, and finally
Describe how to search and interpret log message

Logging & Monitoring

DO NOT REPRINT
FORTINET

Logging & Monitoring

The basic purpose of logs is to help you monitor your network traffic levels, track down problems,
establish baselines and a lot more.
Think of your own internal organization, where it is highly probable that more than one administrator
has access to your FortiGate device. Since it is not practical to block other administrators from making
changes to your FortiGate configuration, you can simply view the log files to find out what is
happening on the deviceincluding any changes that were made. Logs help provide you with the big
picture so you can make adjustments to your network security, if necessary.
Keep in mind that some organizations have legal requirements when it comes to logging, so it is
important to be aware of your organizations policies during configuration.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In
total there are eight levels. Debug, the lowest level, puts additional information into the event log and
is worthless unless you are actively investigating something. Debug is only needed to log diagnostic
data, puts more strain on the CPU resources, and requires additional resources to create. Generally
the lowest level you want to use is Information.
You and your organizations policies dictate what needs to be logged.

DO NOT REPRINT
FORTINET

Logging & Monitoring

You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate
device has memory and many devices have a built-in hard drive. Externally, you can store logs on
Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.

DO NOT REPRINT
FORTINET

Logging & Monitoring

As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP

with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or
FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can
communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the
FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs.
Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted
OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure
network.

DO NOT REPRINT
FORTINET

Logging & Monitoring

So far, weve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices
for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is
identicalthey share a common hardware and software platformthe FortiAnalyzer and
FortiManager actually have different capabilities that are worth noting. Both take log entries, but a
FortiManagers primary purpose is to centrally manage multiple FortiGate devices. As such, it has a
flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other
hand, the FortiAnalyzers primary purpose is to store and analyze logs, so the log limit is much higher
(though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day
than any FortiManager.
But at the most basic level, what you can do with the logs received on a FortiManager is no different
than what you can do with logs received on a FortiAnalyzer.
The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as
well as real time.

DO NOT REPRINT
FORTINET

Logging & Monitoring

You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI.
In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set
up separately, one at a time.
In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same
time. The options in the GUI only relate to the config log fortianalyzer setting, not fortianalyzer2 or
fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in
mind that generating logs requires resources, so the impact of sending logs to multiple locations
ultimately depends on how many logs you are creating.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service,
offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. Its
a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a
dedicated logging appliance isnt feasible. Every FortiGate comes with a free one month trial. You can
activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to
read any documentation on the website if you are considering the subscription-based option.

DO NOT REPRINT
FORTINET

Logging & Monitoring

On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and
security logs.
Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast.
The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local
traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard
queries. Invalid packets are the logs thrown away before they even get to a firewall policy.
Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are
related to system operations, such as automatic updates of the AV/IPS definitions and people logging
into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or
RIP log entries and VPN contains IPSec and SSLVPN log entries.
Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web
Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are
created within it.

DO NOT REPRINT
FORTINET

Logging & Monitoring

The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if
configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or
system activity events. The Security Log contains messages related to security profiles activated on
firewall policies. By default, most of the events related to security appear in the Forward Traffic loga
sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception
to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.

DO NOT REPRINT
FORTINET

Logging & Monitoring

To inspect your logs through the GUI, go to the Log & Report section and select the log type to view.
In the upper right corner of the window, you can switch between viewing the logs from different
locations if the FortiGate is set up to log to multiple locations.
It is not recommended to configure your firewall to actively inspect traffic without creating a log entry
about it.

DO NOT REPRINT
FORTINET

Logging & Monitoring

This chart illustrates the expected behavior when you enable different logging options.
The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security
Events, or Log all Sessions.
The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or
disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section.
The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled,
you will not get logs of any kindeven if the profile is configured to block the traffic. So if you apply a
security profile, its important to remember to consider the logging setting.

DO NOT REPRINT
FORTINET

Logging & Monitoring

When viewing the logs, you might encounter a high volume of log messages, depending on your
configuration. This makes it difficult to locate a specific log or log type, especially during an
investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more
information you specify in the filter, the easier it is to find the precise log entry. Filters are configured
for each column of data you choose to display. By default only a subset of the information appears in
the log table. Make sure to configure the table columns for your own requirements.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Every log message you view has a standard layout comprised of two sections: a header and a body.
The header contains the same information regardless of the log. The body, however, changes from
one type of log message to another. This is because there is some data common to all logs, like a
date and time, while other data is event dependent.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Lets take a closer look at the header in this is an example of a raw log entry. While the output is not
as structured as it appears in the GUI, the information contained in a raw log file is the same. As you
can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is
UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log
type and sub-type) are common to every log, but the data aligned to it can be different. For example,
the header can contain a log type of Event and sub-type of System instead of what you see in the
example above. Accordingly, the information in the header of the log directly effects the data
contained in the associated body of the log.
Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up
your filters in order to find what you need in your log messages. You can find a document that
contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .

DO NOT REPRINT
FORTINET

Logging & Monitoring

Now lets take a closer look at the body of a log. The body provides the specifics of the log message
and helps you understand what actually happened. In the above log, we can see the action taken by
the FortiGate device when it encountered the traffic through the status attribute. Here, the status is
Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value
indicated by policyid field provides useful information about the policy this traffic passed through
(which firewall rule was used).

DO NOT REPRINT
FORTINET

Logging & Monitoring

Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI.
This allows you to set up a number of filters on the logs that display and capture the output to a file
and send it via the options you specify, such as FTP.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards
or
while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in
your preparations.
There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Since you cant always be physically at the device, you can monitor logs by setting up Alert emails.
Alert emails are set up similar to any log device. First you decide what is going in to them (a filter)
and then where it is going.

DO NOT REPRINT
FORTINET

Logging & Monitoring

In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for
communication between the server and the FortiGate device. This can only be done in the CLI.
This allows you to configure your alert email settings in the GUI through the Log & Report > Log
Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert
email option does not appear in the GUI.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another log monitoring option is the alert message console. The Alert Message Console is a GUI
widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to
administrators like in Alert emails, they appear directly in the widget on the System page when you log
in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the
number of alerts, and even the name of the widget itself. For example, you can have multiple alert
widgets on the dashboard with different names all displaying different types of alerts.
Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm
the event did not impact anything, you acknowledge it, and it is removed from your list it no longer
appears as something that requires further attention.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another method of monitoring logs is through an SNMP manager. In order to use this method, you
require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP
data objects that are used by the SNMP manager. These MIBs provide information the SNMP
manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device
SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries
to the device in order to discover operational status. You can obtain CPU, memory levels, the cause
for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3.
You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through
the System > Config > SNMP menu.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and
define the service as you would any other SNMP monitored device and then enable your protocol
options and methods of monitoring. What can be monitored with the different options is exactly the
same. SNMP v3 offers some additional security over the previous two versions of the protocol, like
traffic encryption and authentication.

DO NOT REPRINT
FORTINET

Logging & Monitoring

In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log
storage. You can also configure the different kind of traffic you want to appear in the Local traffic log.
Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to
perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your
ability to look through the logs as the requests will timeout.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Using the CLI to configure log settings provides you with more flexibility and options than the GUI.
From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not
available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The
information you require for configuring the log settings is dependent on the logging option you
configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Firewall policies also have logging options you can configure. The policy setting determines if and
when a log message is generated for traffic passing through a particular firewall policy. The settings
under Log Settings in the GUI and the config log command in the CLI determine where the FortiGate
stores the log messages it creates.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Its important to remember that creating logs is not freeit does weigh on your system. The more
logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a
period of time also requires disk space, as does accessing them. So before configuring logging, make
sure its worth the extra resources and that your system can handle the influx.
Also important to note is logging behavior with UTM profiles. UTM profiles create log events when
traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled,
your traffic logs can easily become a problem that will ultimately impact the performance of your
firewall.
There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.

DO NOT REPRINT
FORTINET

Logging & Monitoring

In configuring the Event log settings, remember that Event logs are not caused by traffic passing
through firewall policies. For example, VPNs going up and down or routing protocol activity are not
caused by traffic passing through a firewall policy. One exception might be the user log. This does not
record information about traffic through firewall policies directly, but it does record user logon/logoff
events on traffic that passes through policies.
Event logs provide all of the system information generated by the FortiGate device, such as
administrator logins, configuration changes made by administrators, user activity, and daily operations
of the device. So what you enable depends on what features you are implementing and what
information you need to get out of the logs. You can enable what events you want to log through the
Log & Report > Log Config > Log Settings menu.

DO NOT REPRINT
FORTINET

Logging & Monitoring

There is also a daily log monitor section. This displays the number of logs generated over time as well
as the log type. This allows you to see where your FortiGate device is using most of its resources and
if any trends are occurring. You can drill down through these logs and obtain further information by
clicking any of the days.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Each function of the FortiGate device has an equivalent Monitor menu item in the GUI. This allows
you to take a view, at any given moment, how the feature is performing. The Security functions have a
monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of
security activity this could impact your CPU, so its disabled by default.

DO NOT REPRINT
FORTINET

Logging & Monitoring

One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security
Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV
Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is
happening with that particular option. Almost every menu has this option.

DO NOT REPRINT
FORTINET

Logging & Monitoring

Another means of monitoring is through the widgets on the status page. Many can be customized to
show the same type of information in multiple ways. If you click the pencil icon in the upper right
corner of the widget, you can configure any of the available settings for that widget. You can add some
widgets to the same dashboard multiple times, with each instance displaying different information.

DO NOT REPRINT
FORTINET

Logging & Monitoring

By default, there are a number of different dashboards available. Each one has a different name with a
different collection of widgets to provide different types of information. Each user has their own
dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the
Status page, it will not impact any of the other users. You can alter a users permissions to not allow
them to make changes to their dashboard and use this to restrict their access.

DO NOT REPRINT
FORTINET

Logging & Monitoring

One other area you may want to monitor, purely for diagnostics, is the crash logs, available through
the CLI. The FortiGate is like a computer, with different processes that handle different things, like
DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records
this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and
find out the conditions that caused it. A normal and fairly common thing to see in the crash log are
entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions
package is updated, that process needs to close down in order to apply the new package. This is a
normal shutdown and appears with a status of zero, which indicates a normal shut down with no
abnormalities.

DO NOT REPRINT
FORTINET

Logging & Monitoring

In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure
and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log
messages.