FortiWAN Log format

Leave a reply

Log format

A log listed here consists of three parts:

{TIMESTAMP} {LOG_TYPE} {LOG_CONTENT}

The {TIMESTAMP} is in the format ‘yyyy-mm-dd HH:MM:SS’ and is always an UTC time. The details of {LOG_ TYPE} and {LOG_CONTENT} are described as follows.

Notation Conventions

{ADDRPORT} follows TCPDUMP format, for example:

  • IPv4: 8.8.8.80 l IPv6: 2001::8:8:8:8.80 {IP-5-TUPLE}
  • ICMP:PROTO=1 SRC=<ip> DST=<ip> ID=<icmpid> TYPE=<icmptype> CODE=<icmpcode> (BM log dones’t have TYPE and CODE fields, because they are bypacket)
  • TCP:PROTO=6 SRC=<{ADDRPORT}> DST=<{ADDRPORT}> l UDP:PROTO=17 SRC=<{ADDRPORT}> DST=<{ADDRPORT}> l ICMPv6:PROTO=58 SRC=<ip> DST=<ip> TYPE=<icmpv6type> CODE=<icmpv6code> l Others:PROTO=<protocol num> SRC=<ip> DST=<ip>

Firewall

FW {IP‐5‐TUPLE} ACTION=[ACCEPT|DENY] TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Firewall rule triggers the log. System generates only one log for this session. This log indicates all the packets of the session {IP‐5‐TUPLE} are accepted or denied by Firewall, and the first packet size is <pktlen>. In reality, the event ACCEPT will not be logged by system.

See “Firewall” for further information.

NAT

NAT {IP‐5‐TUPLE} NEW_SRC={ADDR}
The first packet of session {IP‐5‐TUPLE} matching a NAT rule triggers the log. System generates only one log for this session. This log indicates source addresses of the packets of {IP‐5‐TUPLE} are translated to the new address {ADDR} by NAT.

See “NAT” for further information.

Auto & Persistent Routing

AR {IP‐5‐TUPLE} AR=[<widx>|NONE] TOTLEN=<pktlen>

The first packet of session {IP‐5‐TUPLE} matching a Auto Routing rule triggers the log. System generates only one log for this session. This log indicates packets of the session {IP‐5‐TUPLE} are transferred outward through WAN link <widx>, or all the WAN links defined in the routing and fail-over policies fail to transfer the packets (AR=NONE). The first packet size of the session is <pktlen>. See “Auto Routing” for further information.
PR {IP‐5‐TUPLE} PR=[<widx>|WAIT_AR|NONE] TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Persistent Routing rule triggers the log. System generates only one log for this session. This log indicates packets of the session {IP‐5‐TUPLE} are transferred outward through WAN link <widx> (the persistence entry of the session is not expired), or Auto Routing determines the WAN link for the session (PR=WAIT_AR, the persistence entry of the session is expired or absent), or the action to this session is No PR (PR=NONE). The first packet size of the session is <pktlen>. See “Persistent Routing” for further information.

If a PR log that PR=WAIT_AR, the PR log and a correspondent AR log are generated in pairs.

Virtual Server

VS {IP‐5‐TUPLE} NEW_DST={ADDR} TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} matching a Virtual Server rule triggers the log. System generates only one log for this session. This log indicates destination addresses of the packets of {IP‐5‐TUPLE} are translated to the new address {ADDR} by Virtual Server. The first packet size of the session is <pktlen>.

See “Virtual Server” for further information.

BM

BM {IP‐5‐TUPLE} INPKTS=<%lu> INBYTES=<%lu> OUTPKTS=<%lu> OUTBYTES=<%lu> TOTALPKTS=<%lu> TOTALBYTES=<%lu> DURATION=<%lu>SECS
Session {IP‐5‐TUPLE} matching a Bandwidth Management filter triggers the log when it is closed. System generates only one log for this session. This log indicates the traffic statistics (INPKTS, INBYTES, OUTPKTS, OUTBYTES, TOTALPKTS, TOTALBYTES and DURATION) of the session {IP‐5‐TUPLE}.

See “Bandwidth Management” for further information.

Connection Limit

Count Limit

CL SRC=<ip> DROP=<pkt_number>
This log is triggered every time-period if the number of connections generated by a source SRC=<ip> exceeds the limitation defined in Connection Limit > Count Limit. This log indicates connections generated by SRC=<ip> and passing through FortiWAN are more that the limitation, and there are <pkt_number> packets are dropped for the reason.

Rate Limit

RL RULE=<ridx> DROP=<pkt_number>
This log is triggered every time-period if a rule <ridx> of Connection Limit > Rate Limit is matched. This log indicates connections defined in the Rate Limit rule <ridx> are generated in a rate higher than the limitation, and there are <pkt_number> packets are dropped for the reason.

See “Connection Limit” for further information.

Cache Redirect
CR {IP‐5‐TUPLE} NEW_DST={ADDR‐PORT}
The first packet of session {IP‐5‐TUPLE} matching a Cache Redirect rule triggers the log. System generates only one log for this session. This log indicates destination addresses and ports of the packets of {IP‐5‐TUPLE} are translated to {ADDR} by Virtual Server. The first packet size of the session is <pktlen>.

See “Cache Redirect” for further information.

Multihoming
MH FROM=<ip> TYPE=<A|AAAA> WLINK=<widx> REPLY=<ip>
An DNS response (queried for A or AAAA records) by Multihoming triggers the log. System generates the log only for DNS queries for A and AAAA records. This log indicates a DNS query whose type is TYPE=<A|AAAA> and comes from FROM=<ip> is responded by Multihoming with REPLY=<ip>, which is the IP address of WAN link <widx>.

System generates two logs for A and AAAA records if the DNS query type is ANY.

See “Multihoming” for further information.

Dynamic IP

DHCP

DHCP WLINK=<widx> ACTION=<init|renew|rebind|expired|failed|release|stop|bind> [IP=<ip>]
System triggers the log when a DHCP WAN link <widx> is acted for ACTION. ACTION=bind and IP=<ip> must be generated in pairs for a log.

PPPoE

PPPOE WLINK=<widx> ACTION=<start|terminated|bind> [IP=<ip>]

System triggers the log when a PPPoE WAN link <widx> is acted for ACTION. ACTION=bind and IP=<ip> must be generated in pairs for a log. Three more logs are introduced when a PPPoE WAN link goes to failure:

l PPPOE config‐requests timeout l PPPOE connection no response l PPPOE authentication failed
IP-MAC Mapping
MAC {IP‐5‐TUPLE} BAD_SRC_MAC=<MAC>
The first packet of session {IP‐5‐TUPLE} blocked by IP-MAC Mapping triggers the log. System generates only one log for this session. This log indicates source MAC addresses <MAC> of the packets of {IP‐5‐TUPLE} and the MAC address defined in IP-MAC table are mismatched, and so that the packets are blocked.
MAC {IP‐5‐TUPLE} BAD_DST_MAC=<MAC>
The first packet of session {IP‐5‐TUPLE} blocked by IP-MAC Mapping triggers the log. System generates only one log for this session. This log indicates destination MAC addresses <MAC> of the packets of {IP‐5‐TUPLE} and the MAC address defined in IP-MAC table are mismatched, and so that the packets are blocked.

See “IP-MAC Mapping” for further information.

Tunnel Routing
TR {IP‐5‐TUPLE} GROUP=<group name> TOTLEN=<pktlen>
The first packet of session {IP‐5‐TUPLE} being transferred by Tunnel Routing triggers the log. System generates only one log for this session. This log indicates packets of {IP‐5‐TUPLE} are transferred through the Tunnel Group <group name>, and the first packet size of the session is <pktlen>.
TUN FROM=<ip> TO=<ip> ACTION=<start|stop|fail|recover>
This log is triggered when a single GRE tunnel FROM=<ip> TO=<ip> is acted for actions ACTION.

See “Tunnel Routing” for further information.

IPSec
ISAKMP-SA <established|expired|deleted> <LOCAL_IP_PORT>-<REMOTE_IP_PORT>
An ISAKMP SA between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is established, expired or deleted.
IPsec-SA <established|expired>: ESP/<Transport|Tunnel> <LOCAL_IP_PORT>-><REMOTE_ IP_PORT>

 

A Transport mode or Tunnel mode IPSec SA between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is established or expired.
<initiate|respond> new phase <1|2> negotiation: <LOCAL_IP_PORT><=><REMOTE_IP_ PORT>
After an ISAKMP SA or IPSec SA is expired, new IKE phase 1 or 2 negotiation between <LOCAL_IP_PORT> and <REMOTE_IP_PORT> is initiated or responded.
NOTIFY: the packet is retransmitted by <IP_PORT>
Packets of IKE negotiation are retransmitted due to the failure in authentication (pre-shared keys of the two entities might not be correspondent with each other).
<IP> INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Request for establishing IPSec SA from <IP> was queued due to the failure in phase 1 negotiation (Phase 1 proposals of the two entities might not be correspondent with each other).
<IP> INFO: received INITIAL-CONTACT
<IP> received the request for negotiation from the peer.
ERROR: phase1 negotiation failed due to time up.
A queued or retransmitted phase 1 negotiation is declared to failure because the time is up.
<IP> ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
<IP> does not receive any proposal in the phase 2 negotiation messages (Phase 2 proposals of the two entities might not be correspondent with each other).

See “IPSec VPN” for further information.

System Admin session

  • <account> logged in from <ip> l <account> logged out from <ip> Account change
  • Administrator account <account> removed l Monitor account <account> removed
  • Administrator account <account> password successfully changed l Administrator account <account> successfully added

Monitor account <account> password successfully changed

Monitor account <account> successfully added

Access deny

  • Incorrect <account> password from <ip> l Maximum # of Administrator/<account> login reached l Maximum # of Monitor/<account> login reached UI command
  • There is no slave l Configuration synchronization finished successfully l Configuration synchronization failed l Peer information is not available l ARP caches are updated l Neighbor Discovery caches are updated l System time synchronized l No NTP servers in system settings l License key <key> is applied successfully, system rebooting…
  • License key <key> is applied successfully l Test email is sent to <receiver> l Failed to send test email to <receiver>

UI setting

  • Settings are applied for page System -> <page name> l Settings are applied for page Service -> <page name> l Settings are applied for page Log -> <page name> l Unable to add account. The maximum number of Administrator accounts have been reached. l Unable to add account. The maximum number of Monitor accounts have been reached.
  • Settings are applied for RADIUS Authentication l Error starting notification daemon l Error in starting daemon for page Service -> Internal DNS l Error in starting daemon for page Service -> Multihoming Info access error l Cannot save log/event settings Update l System firmware updated

Config

System configuration restored

Multihoming daemon file write error

Shutdown

  • System reset to factory default settings l System reboot Instant push
  • Pushing <logtype> is initiated l Failed to push <logtype>

Service error l Restarting Internal DNS Error Connection overflow l Current Connection Number(<connections>) reach <limit> Rate overflow l Current Rate Number(<connection rate>) reach <limit> Undefined code l Undefined event code <event code> VRRP

  • VRRP become master l VRRP become backup l VRRP double-check failed HA
  • Peer version changed from “<Model>” to “<Model>” l Peer serial number changed from “<Serial Number>” to “<Serial Number>” l Peer state changed from “<State>” to “<State>” l Responded to Slave’s Time Synchronization Request l Responded to Slave’s Configuration Synchronization Request l Stopped configuration synchronization due to errors l Finished configuration synchronization with the Slave l Won precedence over the booting peer. Enter the Master state. l Preceded by the booting peer. Enter the Slave state. l Master heartbeat detected. Enter the Slave state.
  • Slave heartbeat detected. Enter the Master state. Panic heartbeat detected. Enter the Master state.

No heartbeat detected. Enter the Master state.

 

Log Control

  • Won precedence over the incompatible peer. Enter the Master state.
  • Preceded by the incompatible peer. Enter the Panic state.
  • Peer heartbeat stopped. Enter the Master state to take over services. l Preceded by another Master. Reboot to enter the Slave state.
  • Too Much port down. Reboot to enter the Slave state. l Preceded by the incompatible peer. Enter the Panic state. l Peer heartbeat stopped. Enter the Master state to take over services. l Two Slaves linked at the same time. Restart HA after random delay. l Master is gone. Enter the Master state to take over services.
  • Peer heartbeat stopped l Time synchronization failed. l Configuration synchronization failed.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.