logging and monitoring. module objectives by the end of this module participants will be able to:...
TRANSCRIPT
Logging and Monitoring
Module Objectives
• By the end of this module participants will be able to:• Identify the severity levels assigned to logs
• Define the storage location for log information
• Enable logging for different FortiGate unit events
• View and search logs
• Configure content archiving
• Generate reports from stored log information
Logging and Monitoring
Logging and Monitoring
• Logging and monitoring are key elements in maintaining devices on the network• Monitor network and Internet traffic
• Track down and pinpoint problems
• Establish baselines
Logging Severity Levels
Emergency
Alert
Critical
Error
Warning
Notification
InformationDebug
Click here to read more about logging levels
Logging Severity Levels
Emergency
Alert
Critical
Error
Warning
Notification
Information
Debug• Administrators define the severity level at which the FortiGate unit records log information• All messages at, or above, the minimum severity level will be logged• Emergency = System unstable• Alert= Immediate action required• Critical = Functionality affected• Error = Error exists that can affect functionality• Warning = Functionality could be affected• Notification = Info about normal events• Information = General system information• Debug = Debug log messages
Click here to read more about logging levels
Log Severity Level
2010-01-11 14:23:37 log_id=0104032126 type=event subtype=admin pri=notification vd=root user=admin ui=GUI(192.168.96.1) seq=3 msg="User admin added new firewall policy 3 from GUI(192.168.96.1)"
• Log severity level indicated in the pri field of the log message
notification = normal event
Deleting Logs
•Delete all local logs, log archives, and user configured report templates using this commandexec log-report reset
• Also restores default UTM activity report if it has been modified
Log Storage Locations
Syslog SNMP
Local loggingRemote logging
Click here to read more about log storage locations
Log Types
Event logs
Traffic logs
Attack logs
Antivirus logs
Web filter logs
Email filter logs
DLP logs
Application control logs
Network scan logs
Click here to read more about log types
UT
M l
og
s
Viewing Log Messages in Web Config
Log Viewer Filtering
•Use Filter Settings to customize the display of log messages to show specific information in log messages• Reduce the number of log entries that are displayed
• Easily locate specific information
Log Viewer Filtering
• Example: View only UTM log messages recorded between 4:00 and 5:00 pm
Download Raw Logs
• Raw logs can be downloaded, including archived log messages• Raw log file is downloaded to the management computer and saved as a text file• Can be viewed in a text editor such as Notepad
• Log file name format:<log name><number>.log (for example: elog0101.log)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
The type and subtype fields = log file that message is recorded in (for example, data leak prevention)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
policyid = id number of firewall policy matching the session
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
Each message has a unit a unique log id number that helps to identify them
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
status = action taken by the FortiGate unit
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
msg = activity that was recorded, for example, DLP detected (matched the rule called All-HTTP in the DLP sensor)
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:• Log header
2011-01-08 12:55:06 log_id=32001 type=dlp subtype=dlp pri=notice vd=root
• Log bodypolicyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122” dport=80 dst_port=80 dst_int=“wan1” service=“https” status=“detected” hostname=“example.com”url=“/image/trees_pine_forest/
”msg=“data leak detected(Data Leak Prevention Rule matched)” rulename=“All-HTTP” action=“log-only” severity=1
action = how FortiGate unit deals with the activity, for example, log the event only
SQL Logging
• SQL database feature enabled by default on FortiGate devices with an internal hard disk (51B, 60C, 81C, 111C, 200B, 311B, 621B) or a removeable hard disk• If upgrading from older firmware versions, a pop-up
dialog is presented to the administrator on first login• “To enable SQL and convert any existing logs to SQL
format, please click Go”
• Or click “Remind me later”
Unified UTM Log Access
• Central location for all UTM messages (antivirus, DLP, application control, email filter etc.)•UTM Type indicates which UTM feature logged the message
Unified UTM Log Access
• Example: DLP log message
Logging to a FortiAnalyzer Device
Register
Click here to read more about logging to a FortiAnalyzer device
Logging to a FortiAnalyzer Device
Register
Click here to read more about logging to a FortiAnalyzer device
• Fortinet Discovery Protocol (FDP) used to locate FortiAnalyzer device• FortiGate unit registers with FortiAnalyzer device• SSL-secured OFTP used to encrypt communications between FortiGate and FortiAnalyzer devicesconfig log fortianalyzer setting set enc-algorithm
Logging to a FortiAnalyzer Device
• Real-time upload of logs to the FortiAnalyzer device is disabled by default on FortiGate devices with a hard drive. To enable:config log fortianalyzer setting
set status enable set server <FAZ_IP_Address> set enc-algorithm disable
set upload-option realtime (default is “store-and-upload”) • CLI or Web Config can be used to configure the settings for
uploading logs to FortiAnalyzer or FortiGuard Analytics Service config log request-fgt upload [set|get]
• Logging Buffer rate setting (20 to 20,000) in CLI only • Upload Time Period setting only available in Web Config after it is configured in the CLI (daily, weekly or monthly)
Store-and-Upload
•Default FortiGuard Analytics Service/FortiAnalyzer logging behavior for models with a hard drive• Daily, weekly or monthly upload option
• Log event created for each upload action
• Hard-coded thresholds for auto upload when the hard drive maximum quota is reached • If 70% capacity >> THEN upload 20% of oldest logs
• FortiGate models without a hard drive will still send logs in real-time
Device Registration
Unregistereddevice
?
Ignore connection
Allow connection but do not keep data
Allow connection and keep some data
Add as registered and keep data(DEFAULT)
Logging to Multiple FortiAnalyzer Devices
FortiAnalyzer1 FortiAnalyzer2 FortiAnalyzer3
Eventlogs
Web filterlogs
Trafficlogs
Uploading Logs to FTP Server
• Text format allows for easier viewing using text editors•Only available for FortiGate models with hard drives and only for uploading to a FTP serverset upload enable
set upload-destination ftp-server
set uploadip 172.16.120.154
set uploadport 443
set uploaduser test_user
set uploadpass 123456
set uploaddir C:\Logs_FGT
set uploadtype appctrl attack dlp event spamfilter traffic virus webfilter
set uploadzip enable
set uploadformat text
set uploadsched enable
set uploadtime 7
Content Archiving
Archive
Content Archiving
Archive
• Log and archive copies of content transmitted over the network• Summary archives• Metadata only
• Full archives• Summary and hyperlink to archived file
or message
• Enabled through Data Leak Prevention rules•When logging to multiple FortiAnalyzer units, DLP archives can be sent to both the second and third FortiAnalyzer units• Avoids any lost DLP archives
Alert Email
Alert Email
• Send notification to email address upon detection of defined event• Identify SMTP server name• Configure at least one DNS server•Up to three recipients per mail server
SNMP
SNMP managerManaged device
SNMP agent Fortinet MIB
SNMP
SNMP managerManaged device
SNMP agent Fortinet MIB
• Traps received by agent sent to SNMP manager• Configure FortiGate unit interface for SNMP access• Compile and load Fortinet-supplied MIBs into SNMP manager• Create SNMP communities to allow connection from FortiGate unit to SNMP manager
Reporting
Report
Reporting
•Default Report
Reporting
• Report Editor
Reporting
•Historical Reports
Report Options
• Select Options in Report Editor
Monitors
•Monitor sub-menus found in Web Config for all main function menus•User-friendly display of monitored information• View activity of a specific feature being monitored such as Firewall, UTM, VPN, Router, WiFi, Endpoint Security etc.
Monitor
• Example: Firewall Monitor• Includes Session, Policy, Load Balance and Traffic
Shaper monitors
• Session: Current sessions on the network
• Policy: Firewall policy traffic occurring on the unit• Load Balance: List of individual server and real
servers• Traffic Shaper: Traffic shaper activity on the unit
Labs
• Lab - Logging and Monitoring• Exploring Web Config Monitoring
• Customizing the System Dashboard
• Configuring Email Alerts
• Enabling Logging to a FortiAnalyzer Device
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module