Category Archives: FortiCloud

FortiCloud Open Ports

FortiCloud Open Ports

Incoming Ports

Purpose

Protocol/Port
FortiAP-S Initial Discovery TCP/443
Syslog, OFTP, Registration, Quarantine, Log & Report TCP/514
Event Logs UDP/5246
FortiGate Registration, Quarantine, Log & Report, Syslog TCP/443
OFTP TCP/514
Management TCP/541
Contract Validation TCP/10151
Outgoing Ports

Purpose

Protocol/Port
FortiGuard (FortiDB will use a random port picked by the kernel) FortiGuard Updates TCP/80
FortiMonitor SSH, SFTP TCP/22
3rd-Party Servers Email Notifications/Reports TCP/25
SNMP Traps UDP/162
Syslog UDP/514

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Advanced logging

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

 

The following topics are included in this section:

  • Configuring logging to multiple Syslog servers
  • Using Automatic Discovery to connect to a FortiAnalyzer unit
  • Activating a FortiCloud account for logging purposes
  • Viewing log storage space
  • Customizing and filtering log messages
  • Viewing logs from the CLI
  • Configuring NAC quarantine logging
  • Logging local-in policies
  • Tracking specific search phrases in reports
  • Reverting modified report settings to default settings

 

Configuring logging to multiple Syslog servers

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM.

 

To enable logging to multiple Syslog servers

1. Log in to the CLI.

2. Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

3. Enter the following commands to configure the second Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

4. Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set traffic {enable | disable}

set web {enable | disable}

set url-filter {enable | disable}

end

 

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

 

To connect using automatic discovery

1. Log in to the CLI.

2. Enter the following command syntax:

config log fortianalyzer setting set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

 

 

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in Syste> Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

 

 

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at System > Dashboard and that you have located the License Information widget.

1. In the License Information widget, select Activate in the FortiCloud section.

The Registration window appears. From this window, you create the login credentials that you will use to access the account.

2. Select Create Account and enter then information for the login credentials.

After entering the login credentials, you are automatically logged in to your FortiCloud account.

3. Check that the account has been activated by viewing the account status from the License Information widget. If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

 

Viewing log storage space

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom “root”: 30MB/22583MB

 

 

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Traffic Log > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right- click menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

 

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

  • OS Name
  • OS Version
  • Policy ID
  • Src (Source IP)

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Traffic Log > Forward Traffic.

1. On the Forward Traffic page, right click anywhere on a column title.

2. Right click on a column title, and mouse over Column Settings to open the list.

3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.

4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.

5. Click outside the menu, and wait for the page to refresh with the new settings in place.

6. Select the funnel icon next to the word Src in the title bar of the Src column.

7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.

8. Click Apply, and wait for the page to reload.

 

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.

execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.

2. Enter the following to view the log messages:

execute log display

The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

 

Configuring NAC quarantine logging

NAC quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

 

To configure NAC quarantine logging

1. Go to Policy & Objects > Policy > IPv4.

2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.

3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.

4. Select OK.

5. Log in to the CLI.

6. Enter the following to enable NAC quarantine in the DLP sensor:

config antivirus profile edit <profile_name>

config nac-quar log enable end

 

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable end

The Local-In Policy page will then be available in Policy & Objects > Policy > Local In. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Config > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

 

Special Traffic

Traffic activity         Traffic Direction      Description

FortiGuard update annouce- ments

FortiGuard update requests

IN                               All push announcements of updates that are coming from the

FortiGuard system. For example, IPS or AV updates.

OUT                           All updates that are checking for antivirus or IPS as well as other

FortiGuard service updates.

Firewall authen- tication

IN                               The authentication made using either the web-based manager or CLI.

Traffic activity         Traffic Direction      Description

Central man- agement (a FortiGate unit being managed by a FortiMan- ager unit)

IN                               The access that a FortiManager has managing the FortiGate unit.

DNS                           IN                               All DNS traffic.

DHCP/DHCP Relay

IN                               All DHCP and/or DHCP Relay traffic.

HA (heart beat sync policy)

IN/OUT                      For high-end platforms with a backplane heart beat port.

 

 

HA (Session sync policy)

 

IN/OUT

 

This will get information from the CMDB and updated by sessi sync daemon.

 

CAPWAP

 

IN

 

This activity is logged only when a HAVE_CAPWAP is defined.

 

Radius

 

IN

 

This is recorded only within FortiCarrier.

 

NETBIOS forward

 

IN

 

Any interface that NETBIOS forward is enabled on.

 

RIP

 

IN

 
 

OSPF

 

IN

 
 

VRRP

 

IN

 
 

BFD

 

IN

 
 

IGMP

 

IN

 

This is recorded only when PIM is enabled.

 

PIM

 

IN

 

This is recorded only when PIM is enabled.

 

BGP

 

IN

 

This is recorded only when config bgp and bgp neightbor is enabled in the CLI.

 

WCCP policy

 

IN

 

Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.

 

WAN Opt/ Web

Cache

IN                               Any interface where WAN Opt is enabled.

WANOpt Tunnel      IN                               This is recorded when HAVE_WANOPT is defined.

 

 

Traffic activity

 

Traffic Direction

 

Description

 

SSLVPN

 

IN

 

Any interface from a zone where the action in the policy is SSL VPN.

 

IPSEC

 

IN

 
 

L2TP

 

IN

 
 

PPTP

 

IN

 
 

VPD

 

IN

 

This is recorded only when FortiClient is enabled.

 

Web cache db test facility

 

IN

 

This is recorded only when WA_CS_REMOTE_TEST is defined.

 

GDBserver

 

IN

 

This is recorded only when debug is enabled.

 

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

1. Log in to the CLI and enter show webfilter profile default.

This provides details about the webfilter profile being used by the security policy. In this example, the details

(shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default config webfilter profile

edit “default”

set comment “default web filtering” set inspection-mode flow-based

set options https-scan set post-action comfort

config web

set safe-search url end

config ftgd-wf config filters

edit 1

set action block set category 2

next edit 2

set action block set category 7

next edit 3

set action block set category 8

2. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.

config webfilter profile edit default

config web

set log-search enable

set keyword-match “fortinet” “easter” “easter bunny” end

end

3. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.

You can tell that the test works by going to Log & Report > Traffic Log > Forward Traffic and viewing the log messages.

 

Reverting modified report settings to default settings

If you need to go back to the original default report settings, you can easily revert to those settings in the Report menu. Reverting to default settings means that your previously modified report settings will be lost.

To revert back to default report settings, in Log & Report > Report > Local, select Customize, and then Restore Defaults from the top navigation. This may take a minute or two. You can also use the CLI command execute report-config reset to reset the report to defaults.

If you are having problems with report content being outdated or incorrect, especially after a firmware update, you can recreate the report database using your current log information with the CLI command execute report recreate-db.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Logging and reporting for large networks

Logging and reporting for large networks

This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology.

Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

 

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

 

Modifying multiple FortiGate units’ system memory default settings

When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

 

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap enable

set multicast-traffic enable set scanerror enable

set app-ctrl enable end

4. Repeat steps 2 and 3 for the other FortiGate units.

5. Test the modified settings using the procedure below.

 

Modifying multiple FortiGate units’ hard disk default log settings

You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

 

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage Internal

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

4. Repeat the steps 2 to 4 for the other FortiGate units.

5. Test the modified settings using the procedure below.

 

Testing the modified log settings

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

 

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning

generating an IPS log message generating an anomaly log message

generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification

generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

 

Configuring the backup solution

Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

 

Configuring logging to multiple FortiAnalyzer units

The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

 

To configure multiple FortiAnalyzer units

1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

config log fortianalyzer setting set status enable

set server 172.20.120.22 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

2. Disable the features that you do not want logged, using the following example command syntax. You can view the

CLI Reference to see what commands are available.

config log fortianalyzer filter set traffic (enable | disable)

… end

3. Enter the following commands for the second FortiAnalyzer unit:

config log fortianalyzer2 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

4. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter set web (enable | disable)

… end

5. Enter the following commands for the last FortiAnalyzer unit:

config log fortianalyzer3 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

6. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter

set web-filter (enable | disable)

… end

7. Test the configuration by using the procedure, “Testing the modified log settings”.

8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

 

Configuring logging to the FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

 

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

 

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. Below is a sample configuration with multiple examples of significant customizations that you can make to tailor reports for larger networks.

 

Creating datasets

You need to create a new dataset for gathering information about HA, admin activity and configuration changes.

Creating datasets requires SQL knowledge.

 

To create the datasets

1. Log in to the CLI.

2. Enter the following command syntax:

config report dataset edit ha

set query “select subtype_ha count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_ha order by totalnum desc”

next

3. Create a dataset for the admin activity, that includes log ins and log outs from the three FortiGate administrators.

set query “select subtype_admin count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

admin order by totalnum desc”

next

4. Create a dataset for the configuration changes that the administrators did for the past 24 hours.

set query “select subtype_config count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

config order by totalnum desc”

end

next

 

Creating charts for the datasets

1. Log in to the CLI.

2. Enter the following to create a new chart:

config report chart edit ha.24h

set type table

set period last24h set dataset ha

set category event set favorite no

set style auto

set title “24 Hour HA Admin Activity”

end

 

Uploading the corporate images

You need to upload the corporate images so that they appear on the report’s pages, as well as on the cover page. Uploading images is only available in the web-based manager.

 

To upload corporate images

1. Go to Log & Report > Report > Local.

2. Select the Image icon and drag it to a place on the page.

3. The Graphic Chooser window appears.

4. Select Upload and then locate the image that you want to upload and upload the image.

The images are automatically uploaded and saved.

5. Repeat step 4 until the other corporate images are uploaded.

6. Select Cancel to close the Graphic Chooser window and return to the page.

The images can then be placed as you like by reopening the Graphic Chooser as in step 2.

 

Adding a new report cover and page

You need to add a new cover for the report, as well as a new page that will display the HA activity, admin activity and configuration changes.

 

To add and customize a new report cover

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. In Sections, select the current default report section, and enter Report Cover in the field that appears; then press Enter to save the change.

4. Remove all content from the Report Cover section, and select the image icon and drag it into the main portion of the cover page; select a cover page image and then select OK.

5. Select the font size you want, and drag the text icon into the area beneath the image to add a title or explanation for the cover page.

6. Select Save to save the new report cover.

 

To add and customize a new page

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. Select Sections, and select Create New to add a new section to the report. Name it Report Content, and press Enter, and OK to close the menu.

4. At the bottom of the editing window is the Section selection, where each Section is represented by a box. Select the second box.

5. Edit the content for the report as you like.

For a simpler report structure, make use of the ‘FortiGate UTM Security Analysis Report’ charts, which automatically format themselves and fill in all necessary information.

For more complex reports, add headings, default and custom charts, and explanatory text.

6. Select Save to save the new report content.

The report will automatically combine all sections. You can use headers and text to more clearly separate parts of the report, and all properly configured charts have titles built-in.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Logging and reporting for small networks

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

 

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

 

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

 

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. The following example command syntax modifies which FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap disable set multicast-traffic enable set scanerror enable

set app-ctrl enable end

 

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

 

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage FLASH

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

 

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

 

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning

generating an IPS log message generating an anomaly log message

generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification generating a HA event message with level – warning

generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

 

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

 

Configuring logging to a FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

 

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

 

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

 

To upload logs to a FortiAnalyzer unit

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.

3. Select FortiAnalyzer (Daily at 00:00).

4. Enter the FortiAnalyzer unit’s IP address in the IP Address field.

5. To configure the daily upload time, open the CLI.

6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

config log fortianalyzer setting

set upload-interval {daily | weekly | monthly}

set upload-time <hh:mm>

end

7. To change the upload time, in the web-based manager, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

 

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

 

To test the FortiAnalyzer upload settings

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change.

For example, the current time is 11:10 am, so Change now has the time 11:10.

3. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the

FortiAnalyzer’s interface.

 

 

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. The following is an example of how to modify the default FortiOS report.

 

To modify the default FortiOS report

1. In the web-based manager, go to Log & Report > Report > Local.

2. Select Customize to open the Report Editor.

3. Change the default Fortinet image to the new image: select the Fortinet image and right-click so that Delete icon appears, and then select Delete; drag the Image icon to the box where the Fortinet image was previous; choose or upload a new image and then select OK.

4. Return to Log & Report > Report > Local.

5. Under Report Options, set the Generate report schedule to Daily and set a Time for the report to be compiled every day.

6. Enable Email Generated Reports. You may have to configure an SMTP server to send the reports before this option can be enabled. The SMTP configuration can be found in System > Config > Messaging Servers.

7. Select Apply to save the changes.

8. Select Run Now to generate a new On Demand report based on your changes.

9. Select the report from the Historical Reports list to view it.

Running On Demand reports can be a good way to compare report modifications as you configure.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!