Viewing logs from the CLI
You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.
- Log in to the CLI and then enter the following to configure the display of the DLP log messages.
execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20
The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20
lines (view-lines 20) that will display.
- Enter the following to view the log messages:
execute log display
The following appears below execute log display:
600 logs found
20 logs returned along with the 20 DLP log messages.
Configuring NAC Quarantine logging
NAC Quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC Quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.
To configure NAC quarantine logging
- Go to Policy & Objects > IPv4 Policy.
- Select the policy that you want to apply the Antivirus profile to, and then select Edit.
- Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.
- Select OK.
Logging local-in policies
- Log in to the CLI.
- Enter the following to enable NAC Quarantine in the DLP sensor:
config antivirus profile edit <profile_name> config nac-quar log enable
end
Logging local-in policies
Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.
You can enable logging of local-in policies in the CLI, with the following commands:
config system global set gui-local-in-policy enable
end
The Local-In Policy page will then be available in Policy & Objects > Local In Policy. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Settings, under Local Traffic Logging.
When deciding what local-in policy traffic you want logged, consider the following:
Special Traffic
| Traffic activity | Traffic Direction | Description |
| FortiGuard update annoucements | IN | All push announcements of updates that are coming from the FortiGuard system. For example, IPS or AV updates. |
| FortiGuard update requests | OUT | All updates that are checking for antivirus or IPS as well as other FortiGuard service updates. |
| Firewall authentication | IN | The authentication made using either the web-based manager or CLI. |
| Central management (a FortiGate unit being managed by a
FortiManager unit) |
IN | The access that a FortiManager has managing the FortiGate unit. |
| DNS | IN | All DNS traffic. |
| DHCP/DHCP
Relay |
IN | All DHCP and/or DHCP Relay traffic. |
Logging local-in policies
| Traffic activity | Traffic Direction | Description |
| HA (heart beat sync policy) | IN/OUT | For high-end platforms with a backplane heart beat port. |
| HA (Session sync
policy) |
IN/OUT | This will get information from the CMDB and updated by session sync daemon. |
| CAPWAP | IN | This activity is logged only when a HAVE_CAPWAP is defined. |
| Radius | IN | This is recorded only within FortiCarrier. |
| NETBIOS forward | IN | Any interface that NETBIOS forward is enabled on. |
| RIP | IN | |
| OSPF | IN | |
| VRRP | IN | |
| BFD | IN | |
| IGMP | IN | This is recorded only when PIM is enabled. |
| PIM | IN | This is recorded only when PIM is enabled. |
| BGP | IN | This is recorded only when config bgp and bgp neightbor is enabled in the CLI. |
| WCCP policy | IN | Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available. |
| WAN Opt/ Web
Cache |
IN | Any interface where WAN Opt is enabled. |
| WANOpt Tunnel | IN | This is recorded when HAVE_WANOPT is defined. |
| SSL-VPN | IN | Any interface from a zone where the action in the policy is SSL VPN. |
| IPSEC | IN | |
| L2TP | IN | |
| PPTP | IN | |
| VPD | IN | This is recorded only when FortiClient is enabled. |
| Web cache db
test facility |
IN | This is recorded only when WA_CS_REMOTE_TEST is defined. |
| GDBserver | IN | This is recorded only when debug is enabled. |
Tracking specific search phrases in reports
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Mike.. can I use a fortigate 40F as a home firewall device and not part of an SD-WAN setup?
Absolutely