FGT1 02 Logging and Monitoring
-
Upload
max-olguin-mella -
Category
Documents
-
view
365 -
download
3
Transcript of FGT1 02 Logging and Monitoring
Logging and Monitoring 7 April 2014
1
© 2014 Fortinet Inc. All rights reserved.The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT01-02-50005-E-20131120
Logging and Monitoring
2
Module Overview
• Log Severity Levels
• Storage Locations
• Log types and subtypes
• Log Structure and Behavior
• Traffic Log
• Viewing Log Messages
• Reading and Interpreting log messages
• Alert Email
… and other topics
Logging and Monitoring 7 April 2014
3
Module Objectives
• By the end of this module participants will be able to:» State the Purpose of different log types on a FortiGate
» Identify the storage location of log information
» Navigate the relevant screens for Logging and Monitoring of a FortiGate
» Read and Interpret log messages
» View and search logs messages
4
Logging and Monitoring
• Logging and monitoring are key elements in maintaining devices on the network» Monitor network and Internet traffic
» Track down and pinpoint problems
» Establish baselines
Logging and Monitoring 7 April 2014
5
Log Severity Levels
• Administrators define what type of logs are recorded
• All log messages have a severity level to help indicate how important the event is» Emergency = System unstable
» Alert = Immediate action required
» Critical = Functionality affected
» Error = Error exists that can affect functionality
» Warning = Functionality could be affected
» Notification = Information about normal events
» Information = General system information
» Debug = Debug log messages
6
Log Storage Locations
Syslog SNMP
Local loggingRemote logging
Memory FortiAnalyzerFortiManager
FortiCloud
Hard drive
Logging and Monitoring 7 April 2014
7
Log Storage Locations: FortiAnalyzer/FortiManager
Register
FortiGate
• FAZ/FMG has list of Registered(allowed) devices
• SSL-secured OFTP used to encrypt communications
FortiAnalyzer/FortiManager
8
FortiAnalyzer/FortiManager: Comparison
• FortiManager is a dedicated device designed to Centrally Manage multiple FortiGate devices
• FortiAnalyzer is dedicated device designed for long term storage of log data» FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily
limit on logs received
Logging and Monitoring 7 April 2014
9
FortiAnalyzer/FortiManager: Configuration
• Up to 3 separate FAZ/FMG devices can be configured (CLI)» May be needed for Redundancy
» Generating & sending logs requires resources
config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting
set status enable
eet server x.x.x.x
end
10
Log Storage Locations: FortiCloud
• Subscription service» Long term log storage & reporting
» FortiGates include 1 month free trial
» Links to FortiCare user
» Read any documentation on the Website!!
Logging and Monitoring 7 April 2014
11
Log Types and Subtypes
• Traffic Log» Forward (Traffic passed/blocked by Firewall policies)
» Local (Traffic aimed directly at, or created by the FortiGate device)
» Invalid (Log messages about packets considered invalid/malformed and dropped)
» Multicast (Log messages about Multicast traffic)
• Event Log» System (System related events)
» User (Firewall authentication events)
» Router, VPN, WanOpt & Cache, Wifi
• Security Log» By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.)
» Section is not created by default
12
Log Structure and Behavior
• Logging is divided into 3 sections: Traffic Log, Event Log, Security Log» Traffic logs relate to packets to and through the device
» Event logs relate to any admin and system activity events on the device
» Security logs contain log messages related to profiles acting on traffic passing through the device
• Most Security events consolidated into Forward Traffic log» Less CPU intensive this way
» Exceptions: DLP, Intrusion Scanning (Security Log only)
• Additional log information can be obtained in some security profiles via the CLI (Antivirus, Web Filter, Email)» extended-utm-log [disable (default) | enabled]
• New log options show up (CLI only, varies depending on profile type)
• Security event logs show up in Security Logs with more details
Logging and Monitoring 7 April 2014
13
Log Generation
FW Policy Log Setting AV,Web Filter, Email extended-utm-log Behavior
No Log Disabled N/A No Forward Traffic or Security Logs
No Log Enabled Disabled No Forward Traffic or Security Logs
No Log Enabled Enabled No Forward Traffic or Security Logs
Log Security Events Disabled N/A No Forward Traffic or Security Logs.
Log Security Events Enabled Disabled Security log events appear in Forward Traffic Log. Forward Traffic Log generated for packets causing a security event.
Log Security Events Enabled Enabled Security log events appear in Security Log. Forward Traffic Log generated for packets causing a security event.
Log all Sessions Disabled N/A Forward Traffic Log generated for every single packet.
Log all Sessions Enabled Disabled Security log events appear in Forward Traffic LogForward Traffic log generated for every single packet
Log all Sessions Enabled Enabled Security log events appear in Security Logs.Forward Traffic Log generated for every single packet.
14
Viewing Log Messages(GUI)
Logging and Monitoring 7 April 2014
15
Viewing Log Messages(GUI): Adding Filters
• Use Filter Settings to customize the display of log messages to show specific information in log messages» Reduce the number of log entries that are displayed
» Filters are per column, more can be added
16
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:» Log header (common to all log messages)
date=2013-09-10 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root
» Log body (varies between each kind of log)srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
Logging and Monitoring 7 April 2014
17
date=2013-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)"
Viewing Log Messages (Raw): Severity Level
• Log severity level indicated in the level field of the log message
information = normal event
18
» Log headerdate=2013-09-10 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=“root”
filteridx=0
» Log bodypolicyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
dstintf="port1" service=mm1 …….
Viewing Log Messages (Raw): Type and Subtype
type and subtype fields = log file that message is recorded in
Logging and Monitoring 7 April 2014
19
» Log bodysrcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
Viewing Log Messages (Raw): Policy ID
policyid = id number of firewall policy matching the session
20
» Log bodysrcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
Viewing Log Messages (Raw): Status
status = action taken by the FortiGate unit
Logging and Monitoring 7 April 2014
21
Viewing Log Messages(CLI)
exe log display
• Best to setup filters on log entries firstexe log filter
22
Alert Email
• Send notification to email address upon detection of defined event
• Identify SMTP server name
• Configure at least one DNS server
• Up to three recipients per mail server
Logging and Monitoring 7 April 2014
23
Alert Email: Configure
• Configuring Alert email is not possible until an SMTP server has been setup.
• Can be sent to up to 3 emails
24
Alert Message Console
• Alert messages can be displayed on the GUI» Individual alerts can be acknowledged and removed from the list
» Customizable alert options
Logging and Monitoring 7 April 2014
25
SNMP Monitoring
SNMP managerManaged device
SNMP agent Fortinet MIB
• Traps received by agent sent to SNMP manager• Configure FortiGate unit interface for SNMP access• Compile and load Fortinet-supplied MIBs into SNMP
manager• Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
• SNMP v1/v2− Plain Text
• SNMP v3− Encrypted
26
SNMP Monitoring: Configuring
• v3 offers additional security over v1/v2
Logging and Monitoring 7 April 2014
27
Configuring Log settings: GUI
28
Configuring Log settings: CLI
• Different log locations have different options that need to be configured (server location, user details, etc)
» disk – Hard drive (Built in non-volatile Flash on some models)
» fortianalyzer|fortianalyzer2|fortianalyzer3 – separate FortiAnalyzers
» fortiguard- Forticloud
» memory – system memory (volatile)
» sysologd|syslogd2|syslogd3 – separate Syslog servers
» webtrends – Webtrends service
Logging and Monitoring 7 April 2014
29
Configuring Log settings: Firewall Policy
• Firewall Policy setting decides if a log message is generated or not
• ‘Log Settings’ options decide if/where any log messages get stored
30
Event Logging: Settings
• Event logs are not directly caused by traffic passing through any firewall policies (except ‘User’)
Logging and Monitoring 7 April 2014
31
Logging Monitor
• Overall view of the number/type of logs generated
• Drilldown allows for more detailed information
32
Monitor
• Monitor sub-menus found in CLI for all main function menus
• User-friendly display of monitored information
• View activity of a specific feature being monitored
• Various settings are found under “config system global”gui-antivirus gui-ap-profile gui-application-control
gui-central-nat-table gui-certificates gui-client-reputation
gui-dlp gui-dns-database gui-dynamic-profile-display
gui-dynamic-routing gui-endpoint-control gui-explicit-proxy
gui-ipsec-manual-key gui-implicit-policy gui-ips
gui-icap gui-ipv6 gui-lines-per-page
gui-load-balance gui-local-in-policy gui-multicast-policy
gui-multiple-utm-profiles gui-object-tags gui-policy-interface-pairs-view
gui-replacement-message-groups gui-spamfilter gui-sslvpn-personal-bookmarks
gui-sslvpn-realms gui-utm-monitors gui-voip-profile
gui-vpn gui-vulnerability-scan gui-wanopt-cache
gui-webfilter gui-wireless-controller gui-wireless-opensecurity
Logging and Monitoring 7 April 2014
33
GUI Monitors
• Example: Security Profiles Monitor» Includes all security features • AV Monitor
» Recent and top virus activity
• Web Monitor» Top blocked FortiGuard categories
• Application Monitor» Most used applications
• Intrusion Monitor» Recent attacks
• FortiGuard Quota» Per user list of quota usage
34
Status Page: Custom Widgets
• Many widgets can have their settings altered to display different information» The same widget can be added multiple times to the same dashboard showing
different information
Logging and Monitoring 7 April 2014
35
Status Page: Custom Dashboards
• Multiple dashboards included by default» Included widgets are setup to provide different kinds of information
» Can be changed/deleted/added
» Per User settings (Diashboard and widget layout is not shared between users)
36
The Crash log
• Inspection of is traffic handled by processes
• Any time a process closes, it is a “crash”» Some crashes are normal (closing scanunit to do a definition update)
diag deb crashlog read
• Does not any log message data
Logging and Monitoring 7 April 2014
37
Labs
• Lab 1: Status Monitor and Event Log» Ex 1: Exploring the GUI Status Monitor» Ex 2: Event Log and Logging Options
(OPTIONAL) • Lab 2: Remote Monitoring
» Ex 1: Remote Syslog and SNMP Monitoring
38
Classroom Lab Topology