FGT1 02 Logging and Monitoring

Logging and Monitoring 7 April 2014

1

© 2014 Fortinet Inc. All rights reserved.The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT01-02-50005-E-20131120

Logging and Monitoring

2

Module Overview

• Log Severity Levels

• Storage Locations

• Log types and subtypes

• Log Structure and Behavior

• Traffic Log

• Viewing Log Messages

• Reading and Interpreting log messages

• Alert Email

… and other topics


3

Module Objectives

• By the end of this module participants will be able to:» State the Purpose of different log types on a FortiGate

» Identify the storage location of log information

» Navigate the relevant screens for Logging and Monitoring of a FortiGate

» Read and Interpret log messages

» View and search logs messages

4

Logging and Monitoring

• Logging and monitoring are key elements in maintaining devices on the network» Monitor network and Internet traffic

» Track down and pinpoint problems

» Establish baselines


5

Log Severity Levels

• Administrators define what type of logs are recorded

• All log messages have a severity level to help indicate how important the event is» Emergency = System unstable

» Alert = Immediate action required

» Critical = Functionality affected

» Error = Error exists that can affect functionality

» Warning = Functionality could be affected

» Notification = Information about normal events

» Information = General system information

» Debug = Debug log messages

6

Log Storage Locations

Syslog SNMP

Local loggingRemote logging

Memory FortiAnalyzerFortiManager

FortiCloud

Hard drive


7

Log Storage Locations: FortiAnalyzer/FortiManager

Register

FortiGate

• FAZ/FMG has list of Registered(allowed) devices

• SSL-secured OFTP used to encrypt communications

FortiAnalyzer/FortiManager

8

FortiAnalyzer/FortiManager: Comparison

• FortiManager is a dedicated device designed to Centrally Manage multiple FortiGate devices

• FortiAnalyzer is dedicated device designed for long term storage of log data» FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily

limit on logs received


9

FortiAnalyzer/FortiManager: Configuration

• Up to 3 separate FAZ/FMG devices can be configured (CLI)» May be needed for Redundancy

» Generating & sending logs requires resources

config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting

set status enable

eet server x.x.x.x

end

10

Log Storage Locations: FortiCloud

• Subscription service» Long term log storage & reporting

» FortiGates include 1 month free trial

» Links to FortiCare user

» Read any documentation on the Website!!


11

Log Types and Subtypes

• Traffic Log» Forward (Traffic passed/blocked by Firewall policies)

» Local (Traffic aimed directly at, or created by the FortiGate device)

» Invalid (Log messages about packets considered invalid/malformed and dropped)

» Multicast (Log messages about Multicast traffic)

• Event Log» System (System related events)

» User (Firewall authentication events)

» Router, VPN, WanOpt & Cache, Wifi

• Security Log» By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)

» Section is not created by default

12

Log Structure and Behavior

• Logging is divided into 3 sections: Traffic Log, Event Log, Security Log» Traffic logs relate to packets to and through the device

» Event logs relate to any admin and system activity events on the device

» Security logs contain log messages related to profiles acting on traffic passing through the device

• Most Security events consolidated into Forward Traffic log» Less CPU intensive this way

» Exceptions: DLP, Intrusion Scanning (Security Log only)

• Additional log information can be obtained in some security profiles via the CLI (Antivirus, Web Filter, Email)» extended-utm-log [disable (default) | enabled]

• New log options show up (CLI only, varies depending on profile type)

• Security event logs show up in Security Logs with more details


13

Log Generation

FW Policy Log Setting AV,Web Filter, Email extended-utm-log Behavior

No Log Disabled N/A No Forward Traffic or Security Logs

No Log Enabled Disabled No Forward Traffic or Security Logs

No Log Enabled Enabled No Forward Traffic or Security Logs

Log Security Events Disabled N/A No Forward Traffic or Security Logs.

Log Security Events Enabled Disabled Security log events appear in Forward Traffic Log. Forward Traffic Log generated for packets causing a security event.

Log Security Events Enabled Enabled Security log events appear in Security Log. Forward Traffic Log generated for packets causing a security event.

Log all Sessions Disabled N/A Forward Traffic Log generated for every single packet.

Log all Sessions Enabled Disabled Security log events appear in Forward Traffic LogForward Traffic log generated for every single packet

Log all Sessions Enabled Enabled Security log events appear in Security Logs.Forward Traffic Log generated for every single packet.

14

Viewing Log Messages(GUI)


15

Viewing Log Messages(GUI): Adding Filters

• Use Filter Settings to customize the display of log messages to show specific information in log messages» Reduce the number of log entries that are displayed

» Filters are per column, more can be added

16

Viewing Log Messages (Raw)

• Fields in each log message are arranged into two groups:» Log header (common to all log messages)

date=2013-09-10 time=11:17:56 logid=0000000009

type=traffic subtype=forward level=notice vd=root

» Log body (varies between each kind of log)srcip=172.16.78.32 srcport=900 srcintf=unknown-0

dstip=1.1.1.32 dstport=800 dstintf=unknown-0

dstcountry="Australia" srccountry="Reserved"

service=800/tcp wanoptapptype=cifs duration=20

policyid=100 user="test user" group="test group"

identidx=200 wanin=400 wanout=300 lanin=200 lanout=100


17

date=2013-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)"

Viewing Log Messages (Raw): Severity Level

• Log severity level indicated in the level field of the log message

information = normal event

18

» Log headerdate=2013-09-10 time=12:55:06 log_id=32001 type=utm

subtype=dlp eventtype=dlp level=warning vd=“root”

filteridx=0

» Log bodypolicyid=12345 identidx=67890 sessionid=312 epoch=0

eventid=0 user="user" group="group" srcip=1.1.1.1

srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120

dstintf="port1" service=mm1 …….

Viewing Log Messages (Raw): Type and Subtype

type and subtype fields = log file that message is recorded in


19

» Log bodysrcip=172.16.78.32 srcport=900 srcintf=unknown-0

dstip=1.1.1.32 dstport=800 dstintf=unknown-0

dstcountry="Australia" srccountry="Reserved"

service=800/tcp wanoptapptype=cifs duration=20

policyid=100 user="test user" group="test group"

identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

hostname="host" url="www.abcd.com" msg="Data Leak

Prevention Testing Message" action=block severity=0

infection="carrier end point filter"

Viewing Log Messages (Raw): Policy ID

policyid = id number of firewall policy matching the session

20

» Log bodysrcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0

dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0

status=deny user="test user" group="test group" policyid=0

dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat

tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0

service=other proto=0 appid=1 app="AIM" appcat="IM"

applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0

rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"

shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"

shaperdroprcvdbyte=16843009 shaperperipname="perip name"

shaperperipdropbyte=16843009 devtype="iPad" osname="linux"

osversion="ver" unauthuser="user" unauthusersource="none"

collectedemail="mail" mastersrcmac=02:02:02:02:02:02

srcmac=01:01:01:01:01:01

Viewing Log Messages (Raw): Status

status = action taken by the FortiGate unit


21

Viewing Log Messages(CLI)

exe log display

• Best to setup filters on log entries firstexe log filter

22

Alert Email

• Send notification to email address upon detection of defined event

• Identify SMTP server name

• Configure at least one DNS server

• Up to three recipients per mail server


23

Alert Email: Configure

• Configuring Alert email is not possible until an SMTP server has been setup.

• Can be sent to up to 3 emails

24

Alert Message Console

• Alert messages can be displayed on the GUI» Individual alerts can be acknowledged and removed from the list

» Customizable alert options


25

SNMP Monitoring

SNMP managerManaged device

SNMP agent Fortinet MIB

• Traps received by agent sent to SNMP manager• Configure FortiGate unit interface for SNMP access• Compile and load Fortinet-supplied MIBs into SNMP

manager• Create SNMP communities to allow connection from

FortiGate unit to SNMP manager

• SNMP v1/v2− Plain Text

• SNMP v3− Encrypted

26

SNMP Monitoring: Configuring

• v3 offers additional security over v1/v2


27

Configuring Log settings: GUI

28

Configuring Log settings: CLI

• Different log locations have different options that need to be configured (server location, user details, etc)

» disk – Hard drive (Built in non-volatile Flash on some models)

» fortianalyzer|fortianalyzer2|fortianalyzer3 – separate FortiAnalyzers

» fortiguard- Forticloud

» memory – system memory (volatile)

» sysologd|syslogd2|syslogd3 – separate Syslog servers

» webtrends – Webtrends service


29

Configuring Log settings: Firewall Policy

• Firewall Policy setting decides if a log message is generated or not

• ‘Log Settings’ options decide if/where any log messages get stored

30

Event Logging: Settings

• Event logs are not directly caused by traffic passing through any firewall policies (except ‘User’)


31

Logging Monitor

• Overall view of the number/type of logs generated

• Drilldown allows for more detailed information

32

Monitor

• Monitor sub-menus found in CLI for all main function menus

• User-friendly display of monitored information

• View activity of a specific feature being monitored

• Various settings are found under “config system global”gui-antivirus gui-ap-profile gui-application-control

gui-central-nat-table gui-certificates gui-client-reputation

gui-dlp gui-dns-database gui-dynamic-profile-display

gui-dynamic-routing gui-endpoint-control gui-explicit-proxy

gui-ipsec-manual-key gui-implicit-policy gui-ips

gui-icap gui-ipv6 gui-lines-per-page

gui-load-balance gui-local-in-policy gui-multicast-policy

gui-multiple-utm-profiles gui-object-tags gui-policy-interface-pairs-view

gui-replacement-message-groups gui-spamfilter gui-sslvpn-personal-bookmarks

gui-sslvpn-realms gui-utm-monitors gui-voip-profile

gui-vpn gui-vulnerability-scan gui-wanopt-cache

gui-webfilter gui-wireless-controller gui-wireless-opensecurity


33

GUI Monitors

• Example: Security Profiles Monitor» Includes all security features • AV Monitor

» Recent and top virus activity

• Web Monitor» Top blocked FortiGuard categories

• Application Monitor» Most used applications

• Intrusion Monitor» Recent attacks

• FortiGuard Quota» Per user list of quota usage

34

Status Page: Custom Widgets

• Many widgets can have their settings altered to display different information» The same widget can be added multiple times to the same dashboard showing

different information


35

Status Page: Custom Dashboards

• Multiple dashboards included by default» Included widgets are setup to provide different kinds of information

» Can be changed/deleted/added

» Per User settings (Diashboard and widget layout is not shared between users)

36

The Crash log

• Inspection of is traffic handled by processes

• Any time a process closes, it is a “crash”» Some crashes are normal (closing scanunit to do a definition update)

diag deb crashlog read

• Does not any log message data


37

Labs

• Lab 1: Status Monitor and Event Log» Ex 1: Exploring the GUI Status Monitor» Ex 2: Event Log and Logging Options

(OPTIONAL) • Lab 2: Remote Monitoring

» Ex 1: Remote Syslog and SNMP Monitoring

38

Classroom Lab Topology

FGT1 02 Logging and Monitoring

Documents

Transcript of FGT1 02 Logging and Monitoring