Category Archives: Fortinet

FortiAnalyzer – FortiOS 6.2.3 – Datasets

Datasets

Use the Datasets pane to create, edit, and manage your datasets.

Creating datasets

FortiAnalyzer datasets are collections of data from logs for monitored devices. Charts and macros reference datasets. When you generate a report, the datasets populate the charts and macros to provide data for the report.

FortiAnalyzer has many predefined datasets that you can use right away. You can also create your own custom datasets.

To create a new dataset:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets, and click Create New.
  3. Provide the required information for the new dataset.
Name                                       Enter a name for the dataset.
Log Type                                 Select a log type from the dropdown list.

l  The following log types are available for FortiGate: Application Control,

Intrusion Prevention, Content Log, Data Leak Prevention, Email Filter,

Event, Traffic, Virus, VoIP, Web Filter, Vulnerability Scan, FortiClient Event, FortiClient Traffic, FortiClient Vulnerability Scan, Web Application Firewall, GTP, DNS, SSH, and Local Event.

l  The following log types are available for FortiMail: Email Filter, Event, History, and Virus.

l  The following log types are available for FortiWeb: Intrusion Prevention, Event, and Traffic.

Query Enter the SQL query used for the dataset. An easy way to build a custom query is to copy and modify a predefined dataset’s query.
Variables                                Click the Add button to add variable, expression, and description information.
Test query with specified devices and time period
Time Period             Use the dropdown list to select a time period. When selecting Custom, enter the start date and time, and the end date and time.
Devices       Select All Devices or Specify to select specific devices to run the SQL query against. Click the Select Device button to add multiple devices to the query.
                     Test                         Click to test the SQL query before saving the dataset configuration.
  1. Click Test.

The query results are displayed. If the query is not successful, an error message appears in the Test Result pane.

  1. Click OK.

Viewing the SQL query of an existing dataset

You can view the SQL query for a dataset, and test the query against specific devices or all devices.

To view the SQL query for an existing dataset:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets.
  3. Hover the mouse cursor over the dataset on the dataset list. The SQL query is displayed as a tooltip. You can also open the dataset to view the Query

SQL query functions

In addition to standard SQL queries, the following are some SQL functions specific to FortiAnalyzer. These are based on standard SQL functions.

root_domain(hostname) The root domain of the FQDN. An example of using this function is:

select devid, root_domain(hostname) as website FROM $log WHERE’user’=’USER01′ GROUP BY devid, hostname ORDER BY hostname LIMIT 7

nullifna(expression) This is the inverse operation of coalesce that you can use to filter out n/a values. This function takes an expression as an argument. The actual SQL syntax this is base on is select nullif(nullif(expression, ‘N/A’), ‘n/a’).

In the following example, if the user is n/a, the source IP is returned, otherwise the username is returned.

select coalesce(nullifna(‘user’), nullifna(‘srcip’)) as user_ src, coalesce(nullifna(root_domain(hostname)),’unknown’) as domain FROM $log WHERE dstport=’80’ GROUP BY user_src, domain ORDER BY user_src LIMIT 7

email_domain email_user email_domain returns the text after the @ symbol in an email address. email_user returns the text before the @ symbol in an email address. An example of using this function is:

select ‘from’ as source, email_user(‘from’) as e_user, email_ domain(‘from’) as e_domain FROM $log LIMIT 5 OFFSET 10

from_dtime from_itime from_dtime(bigint) returns the device timestamp without time zone. from_itime(bigint) returns FortiAnalyzer’s timestamp without time zone. An example of using this function is:

select itime, from_itime(itime) as faz_local_time, dtime, from_ dtime(dtime) as dev_local_time FROM $log LIMIT 3

Managing datasets

You can manage datasets by going to Reports > Report Definitions > Datasets. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a dataset to display the menu.

Option Description
Create New Creates a new dataset.
Edit Edits the selected dataset. You can edit datasets that you created. You cannot edit predefined datasets.
View Displays the settings for the selected dataset. You cannot edit predefined datasets.
Delete Deletes the selected dataset. You can delete datasets that you create. You cannot delete predefined datasets.
Clone Clones the selected dataset. You can edit cloned datasets.
Validate Validate selected datasets.
Validate All Custom Validates all custom datasets.
Search Lets you search for a dataset name.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiAnalyzer – FortiOS 6.2.3 – Chart library

Chart library

Use the Chart library to create, edit, and manage your charts.

In a Security Fabric ADOM, you can insert charts from all device types into a single report.

Creating charts

To create charts:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Chart Library.
  3. Click Create New in the toolbar.
  4. Configure the settings for the new chart, the click OK.
Name Enter a name for the chart.
Description Enter a description of the chart.
Dataset Select a dataset from the dropdown list. For more information, see Datasets on page 136. Options vary based on device type.
Resolve Hostname Select to resolve the hostname. Select one of the following: Inherit, Enabled, or Disabled.
Chart Type Select a graph type from the dropdown list; one of: Table, Bar, Pie, Line, Area, Donut, or Radar. This selection affects the rest of the available selections.
Data Bindings The data bindings vary depending on the chart type selected.
Table  
Table Type Select Regular, Ranked, or Drilldown.
Add Column Select to add a column. Up to 15 columns can be added for a Regular table.

Ranked tables have two columns, and Drilldown tables have three columns.

Columns The following column settings must be set: l Column Title: Enter a title for the column. l Width: Enter the column width as a percentage.

Data Binding: Select a value from the dropdown list. The options vary depending on the selected dataset.

Format: Select a value from the dropdown list.

Add Data Binding: Add data bindings to the column. Every column must have at least one data binding. The maximum number varies depending

 

  on the table type.
Order By Select what to order the table by. The available options vary depending on the selected dataset.
Show Top Enter a numerical value. Only the first ‘X’ items are displayed. Other items can be bundled into the Others category for Ranked and Drilldown tables.
Drilldown

Top

Enter a numerical value. Only the first ‘X’ items are displayed. This options is only available for Drilldown tables.
Bar  
X-Axis Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Label: Enter a label for the axis.

Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items are bundled into the Others category.

Y-axis Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity. l Label: Enter a label for the axis.

Bundle rest into “Others” Select to bundle the rest of the results into an Others category.
Group By l Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset. l Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items can be bundled into the Others category.

Order By Select to order by the X-Axis or Y-Axis.
Pie, Donut, or Radar  
Category Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Label: Enter a label for the axis.

Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items can be bundled into the Others category.

Series Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity. l Label: Enter a label for the axis.

Bundle rest into “Others” Select to bundle the rest of the results into an Others category.
Line or Area  
X-Axis l Data Binding: Select a value from the dropdown list. The available
  options vary depending on the selected dataset.

l Format: Select a format from the dropdown list: Default, or Time. l Label: Enter a label for the axis.

Lines Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity.

Type: Select the type from the dropdown list: Line Up or Line Down. l Legend: Enter the legend text for the line.

Add line Select to add more lines.

Managing charts

Manage your charts in Reports > Report Definitions > Chart Library. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a chart to display the menu.

Option Description
Create New Creates a new chart.
Edit Edits a chart. You can edit charts that you created. You cannot edit predefined charts.
View Displays the settings for the selected predefined chart. You cannot edit a predefined chart.
Delete Deletes the selected chart. You can delete charts that you create. You cannot delete predefined charts.
Clone Clones the selected chart.
Import Imports a previously exported FortiAnalyzer chart.
Export Exports one or more FortiAnalyzer charts.
Show Predefined Displays the predefined charts.
Show Custom Displays the custom charts.
Search Lets you search for a chart name.

Viewing datasets associated with charts

To view datasets associated with charts:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Chart Library.
  3. Select a chart, and click View in the toolbar.
  4. In the View Chart pane, find the name of the dataset associated with the chart in the Dataset
  5. Go to Reports > Report Definitions > Datasets.
  6. In the Search box, type the name of the dataset.
  7. Select the dataset that is found, and click View in the toolbar to view it.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SIP and RTP source NAT

SIP and RTP source NAT

In the source NAT scenario shown below, a SIP phone connects to the Internet through a FortiGate with and IP address configured using PPPoE. The SIP ALG translates all private IPs in the SIP contact header into public IPs.

You need to configure an internal to external SIP security policy with NAT selected, and include a VoIP profile with SIP enabled.

SIP source NAT

SIP and RTP destination NAT

SIP and RTP destination NAT

In the following destination NAT scenario, a SIP phone can connect through the FortiGate to private IP address using a firewall virtual IP (VIP). The SIP ALG translates the SIP contact header to the IP of the real SIP proxy server located on the Internet.

SIP destination NAT

In the scenario, shown above, the SIP phone connects to a VIP (10.72.0.60). The SIP ALG translates the SIP contact header to 217.10.79.9, opens RTP pinholes, and manages NAT.

The FortiGate also supports a variation of this scenario where the RTP media server’s IP address is hidden on a private network or DMZ.

Source NAT with an IP pool

SIP destination NAT-RTP media server hidden

In the scenario shown above, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP. The FortiGate is configured with a firewall VIP. The SIP phone connects to the FortiGate (217.233.90.60) and using the VIP the FortiGate translates the SIP contact header to the SIP proxy server IP address (10.0.0.60). The SIP proxy server changes the SIP/SDP connection information (which tells the SIP phone which RTP media server IP it should contact) also to 217.233.90.60.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SIP NAT configuration example: destination address translation (destination NAT)

SIP NAT configuration example: destination address translation (destination NAT)

This configuration example shows how to configure the FortiGate to support the destination address translation scenario shown in the figure below. The FortiGate requires two SIP security policies:

l A destination NAT security policy that allows SIP messages to be sent from the Internet to the private network. This policy must include destination NAT because the addresses on the private network are not routable on the Internet. l A source NAT security policy that allows SIP messages to be sent from the private network to the Internet.

SIP destination NAT scenario part two: 200 OK returned to Phone B and media streams established

FortiGate HA cluster in NAT mode

General configuration steps

The following general configuration steps are required for this destination NAT SIP configuration. This example uses the default VoIP profile.

  1. Add the SIP proxy server firewall virtual IP.
  2. Add a firewall address for the SIP proxy server on the private network.
  3. Add a destination NAT security policy that accepts SIP sessions from the Internet destined for the SIP proxy server virtual IP and translates the destination address to the IP address of the SIP proxy server on the private network.
  4. Add a security policy that accepts SIP sessions initiated by the SIP proxy server and destined for the Internet.

Configuration steps – GUI

To add the SIP proxy server firewall virtual IP

  1. Go to Policy & Objects > Virtual IPs.
  2. Add the following SIP proxy server virtual IP.
VIP Type IPv4

destination address translation (destination NAT)

Name SIP_Proxy_VIP
Interface port1
Type Static NAT
External IP Address/Range 172.20.120.50
Mapped IP Address/Range 10.31.101.50

To add a firewall address for the SIP proxy server

  1. Go to Policy & Objects > Addresses.
  2. Add the following for the SIP proxy server:
Address Name SIP_Proxy_Server
Type Subnet
Subnet/IP Range 10.31.101.50/255.255.255.255
Interface port2

To add the security policies

  1. Go to Policy & Objects > IPv4 Policy.
  2. Add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.
Incoming Interface   port1
Outgoing Interface   port2
Source   all
Destination Address   SIP_Proxy_VIP
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.
  4. Add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the

Internet:

Incoming Interface port2

SIP NAT configuration example: destination address translation (destination

Destination Address   all
Source   SIP_Proxy_Server
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use OutgingInterface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.

Configuration steps – CLI

To add the SIP proxy server firewall virtual IP and firewall address

  1. Enter the following command to add the SIP proxy server firewall virtual IP. config firewall vip edit SIP_Proxy_VIP set type static-nat set extip 172.20.120.50 set mappedip 10.31.101.50 set extintf port1

end

  1. Enter the following command to add the SIP proxy server firewall address. config firewall address edit SIP_Proxy_Server set associated interface port2 set type ipmask

set subnet 10.31.101.50 255.255.255.255

end

To add security policies

  1. Enter the following command to add a destination NAT security policy that includes the SIP proxy server virtual IP that allows Phone B (and other SIP phones on the Internet) to send SIP request messages to the SIP proxy server.

config firewall policy edit 0 set srcintf port1 set dstintf port2 set srcaddr all set dstaddr SIP_Proxy_VIP set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end

 

and RTP source NAT

  1. Enter the following command to add a source NAT security policy to allow the SIP proxy server to send SIP request messages to Phone B and the Internet:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr SIP_Proxy_Server

set dstaddr all set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SIP NAT configuration example: source address translation (source NAT)

SIP NAT configuration example: source address translation (source NAT)

This configuration example shows how to configure the FortiGate to support the source address translation scenario shown below. The FortiGate requires two security policies that accept SIP packets. One to allow SIP Phone A to start a session with SIP Phone B and one to allow SIP Phone B to start a session with SIP Phone A. Both of these policies must include source NAT. In this example the networks are not hidden from each other so destination NAT is not required.

General configuration steps

The following general configuration steps are required for this SIP configuration. This example uses the default VoIP profile. The example also includes security policies that specifically allow SIP sessions using UDP port 5060 from Phone A to Phone B and from Phone B to Phone A. In most cases you would have more than two phones so would use more general security policies. Also, you can set the firewall service to ANY to allow traffic other than SIP on UDP port 5060.

  1. Add firewall addresses for Phone A and Phone B.
  2. Add a security policy that accepts SIP sessions initiated by Phone A and includes the default VoIP profile.
  3. Add a security policy that accepts SIP sessions initiated by Phone B and includes the default VoIP profile.

Configuration steps – GUI

To add firewall addresses for the SIP phones

  1. Go to Policy & Objects > Addresses.
  2. Add the following addresses for Phone A and Phone B:
Category Address
Name Phone_A
Type IP/Netmask
Subnet / IP Range 10.31.101.20/255.255.255.255
Interface Internal

SIP NAT configuration example: source address translation (source

Category Address
Name Phone_B
Type IP/Netmask
Subnet / IP Range 172.20.120.30/255.255.255.255
Interface wan1

To add security policies to apply the SIP ALG to SIP sessions

  1. Go to Policy & Objects > Policy > IPv4.
  2. Add a security policy to allow Phone A to send SIP request messages to Phone B:
Incoming Interface   internal
Outgoing Interface   wan1
Source   Phone_A
Destination Address   Phone_B
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.
  4. Add a security policy to allow Phone B to send SIP request messages to Phone A:
Incoming Interface   wan1
Outgoing Interface   internal
Source   Phone_B
Destination Address   Phone_A
Schedule   always
Service   SIP
Action   ACCEPT
  1. Turn on NAT and select Use Outgoing Interface Address.
  2. Turn on VoIP and select the default VoIP profile.
  3. Select OK.

Configuration steps – CLI

To add firewall addresses for Phone A and Phone B and security policies to apply the SIP ALG to SIP sessions

  1. Enter the following command to add firewall addresses for Phone A and Phone B. config firewall address edit Phone_A set associated interface internal set type ipmask

set subnet 10.31.101.20 255.255.255.255

next edit Phone_B set associated interface wan1 set type ipmask

set subnet 172.20.120.30 255.255.255.255

end

  1. Enter the following command to add security policies to allow Phone A to send SIP request messages to Phone B and Phone B to send SIP request messages to Phone A.

config firewall policy edit 0 set srcintf internal set dstintf wan1 set srcaddr Phone_A set dstaddr Phone_B set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default

next edit 0 set srcintf wan1 set dstintf internal set srcaddr Phone_B set dstaddr Phone_A set action accept set schedule always set service SIP set nat enable set utm-status enable set voip-profile default end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How the SIP ALG translates IP addresses in the SIP body

How the SIP ALG translates IP addresses in the SIP body

The SDP session profile attributes in the SIP body include IP addresses and port numbers that the SIP ALG uses to create pinholes for the media stream.

The SIP ALG translates IP addresses and port numbers in the o=, c=, and m= SDP lines. For example, in the following lines the ALG could translate the IP addresses in the o= and c= lines and the port number (49170) in the m= line.

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3

If the SDP session profile includes multiple RTP media streams, the SIP ALG opens pinholes and performs the required address translation for each one.

The two most important SDP attributes for the SIP ALG are c= and m=. The c= attribute is the connection information attribute. This field can appear at the session or media level. The syntax of the connection attribute is:

c=IN {IPV4 | IPV6} <destination_ip_address> Where l IN is the network type. FortiGates support the IN or Internet network type.

  • {IPV4 | IPV6} is the address type. FortiGates support IPv4 or IPv6 addresses in SDP statements. However, FortiGates do not support all types of IPv6 address translation. See SIP over IPv6 on page 95.
  • <destination_IP_address> is the unicast numeric destination IP address or domain name of the connection in either IPv4 or IPv6 format.

 

source address translation (source NAT)

The syntax of the media attribute is:

m=audio <port_number> RTP <format_list> Where l audio is the media type. FortiGates support the audio media type. l <port_number> is the destination port number used by the media stream.

  • RTP is the application layer transport protocol used for the media stream. FortiGates support the Real Time Protocol (RTP) transport protocol. l <format_list> is the format list that provides information about the application layer protocol that the media uses.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

SIP FortiOS 6 Introduction

Introduction

This FortiOS Handbook chapter contains detailed information about how FortiGates processes SIP VoIP calls and how to configure the FortiGate to apply security features to SIP calls. This document describes all FortiGate SIP configuration options and contains detailed configuration examples.

Before you begin

Before you begin to configure VoIP security profiles, including SIP, from the GUI you should go to System > Feature Visibility and turn on VoIP (under Additional Features).

Also, VoIP settings are only available if the FortiGate or current VDOM Inspection Mode is set to Proxy. To view the inspection mode go to System > Settings to confirm that Inspection Mode is set to Proxy. You can also use the following CLI command to change the inspection mode to proxy:

config system settings set inspection-mode proxy

end

The System Information dashboard widget also shows the current Mode.

How this guide is organized

This FortiOS Handbook chapter contains the following sections:

Inside FortiOS: VoIP Protection introduces FortiOS VoIP Protection

Common SIP VoIP configurations describes some common SIP configurations.

SIP messages and media protocols describes SIP messages and some common SIP media protocols.

The SIP session helper describes how the SIP session helper works and how to configure SIP support using the SIP session helper.

The SIP ALG describes how the SIP Application Layer Gateway (ALG) works and how to configure SIP support using the SIP ALG.

Conflicts between the SIP ALG and the session helper describes how to sort out conflicts between the SIP session helper and the ALG.

Stateful SIP tracking, call termination, and session inactivity timeout describes how the SIP ALG performs SIP stateful tracking, call termination and session activity timeouts.

What’s new in FortiOS 6.0.1                                                                                                                Introduction

SIP and RTP/RTCP describes how SIP relates to RTP and RTCP.

How the SIP ALG creates RTP pinholes describes how the SIP ALG creates pinholes.

Configuration example: SIP in transparent mode describes how to configure a FortiGate in transparent mode to support SIP.

RTP enable/disable (RTP bypass) describes RTP bypass.

Opening and closing SIP register, contact, via and record-route pinholes describes how FortiOS opens and closes these pinholes.

Accepting SIP register responses describes how to enable accepting SIP register responses.

How the SIP ALG performs NAT describes how the SIP ALG performs NAT.

Enhancing SIP pinhole security describes how to open smaller pinholes.

Hosted NAT traversal describes SIP hosted NAT traversal and how to configure it.

SIP over IPv6 describes how to configure SIP over IPv6.

Deep SIP message inspection describes how deep SIP message inspection works.

Blocking SIP request messages describes how to block SIP request messages to prevent some common SIP attacks.

SIP rate limiting includes more options for preventing SIP attacks.

SIP logging describes how to enable SIP logging.

Inspecting SIP over SSL/TLS (secure SIP) describes how to inspection encrypted SIP traffic.

SIP and HA–session failover and geographic redundancy describes how to use FGCP HA to support SIP geographic redundancy.

SIP and IPS describes how to turn on IPS for SIP sessions.

SIP debugging describes some tools for debugging your SIP configuration.

What’s new in FortiOS 6.0.1

VoIP features appear on the GUI when the FortiGate is operating in Flow mode, see Enabling VoIP support from the GUI on page 43.

What’s new in FortiOS 6.0

By default, FortiOS 6.0 disables the SIP session helper, see SIP session helper configuration overview on page 35.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting and logging – FortiOS 6

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

  1. Go to Security Profiles > Intrusion Protection.
  2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.
  3. In the filter options, enable Packet Logging.
  4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

  1. Log in to the CLI.
  2. Enter the following to start configuring additional settings:

config ips settings set ips-packet-quota <integer> set packet-log-history <integer> set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR

type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member” OR

type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

  1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.
  2. Use execute ping to see if you can ping to the log device.
  3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL)

or

ERROR: syntax error at or near… (local/PostgreSQL)

  • Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
  • Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

  • The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

l MySQL is running and using the default port 3306. l You have created an empty database and a user who has read/write permissions for the database. l Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

  1. #Mysql –u root –p
  2. mysql> Create database fazlogs;
  3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;
  4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

l select Cancel and back up all log files; then select Rebuild to blank and rebuild the database. l select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command

in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

Troubleshooting and logging                                                                                          Logging daemon (Miglogd)

config system global set miglogd-children <integer> end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!