When you enable logging on a security policy, the FortiGate unit records the scanning process activity that occurs, as well as whether the FortiGate unit allowed or denied the traffic according to the rules stated in the security policy. This information can provide insight into whether a security policy is working properly, as well as if there needs to be any modifications to the security policy, such as adding traffic shaping for better traffic performance.
Depending on what the FortiGate unit has in the way of resources, there may be advantages in optimizing the amount of logging taking places. This is why in each policy you are given 3 options for the logging:
- Disable Log Allowed Traffic – Does not record any log messages about traffic accepted by this policy.
If you enable Log Allowed Traffic, the following two options are available:
- Security Events – This records only log messages relating to security events caused by traffic accepted by this policy. l All Sessions – This records all log messages relating to all of the traffic accepted by this policy.
Depending on the model, if the Log all Sessions option is selected there may be 2 additional options. These options are normally available in the GUI on the higher end models such as the FortiGate 600C or larger.
- Generate Logs when Session Starts l Capture Packets
You can also use the CLI to enter the following command to write a log message when a session starts:
config firewall policy edit <policy-index> set logtraffic-start
Traffic is logged in the traffic log file and provides detailed information that you may not think you need, but do. For example, the traffic log can have information about an application used (web: HTTP.Image), and whether or not the packet was SNAT or DNAT translated. The following is an example of a traffic log message.
2011-04-13 05:23:47 log_id=4 type=traffic subtype=other pri=notice vd=root status=”start” src=”10.41.101.20″ srcname=”10.41.101.20″ src_port=58115 dst=”172.20.120.100″ dstname=”172.20.120.100″ dst_country=”N/A” dst_port=137 tran_ip=”N/A” tran_port=0 tran_sip=”10.31.101.41″ tran_sport=58115 service=”137/udp” proto=17 app_type=”N/A” duration=0 rule=1 policyid=1 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 src_int=”internal” dst_int=”wan1″ SN=97404 app=”N/A” app_cat=”N/A” carrier_ep=”N/A”
If you want to know more about logging, see the Logging and Reporting chapter in the FortiOS Handbook. If you want to know more about traffic log messages, see the FortiGate Log Message Reference.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!