Category Archives: FortiGate

Security Profiles overview

Security Profiles overview

Ranging from the FortiGate®-30 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as Security Profiles. The Security Profiles features your FortiGate model includes are:

AntiVirus
Web Filter
DNS Filter
Application Control
Cloud Access Security Inspection
Intrusion Protection
Anti-Spam
Data Leak Prevention
VoIP
ICAP
Web Application Firewall
FortiClient Profiles
Proxy Options
SSL Inspection
Web Rating Overrides
Web Profile Overrides
ICAP Servers

FortiOS 5.4 no longer supports FortiClient 5.0.

FortiOS 5.2 can support FortiClient 5.0, but only if the FortiGate upgraded to FortiOS 5.2. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.

Firewall policies limit access, and while this and similar features are a vital part of securing your network, they are not covered in this document.

Traffic inspection

When the FortiGate unit examines network traffic one packet at a time for IPS signatures, it is performing traffic analysis. This is unlike content analysis where the traffic is buffered until files, email messages, web pages, and other files are assembled and examined as a whole.

DoS policies use traffic analysis by keeping track of the type and quantity of packets, as well as their source and destination addresses.

Application control uses traffic analysis to determine which application generated the packet.

Although traffic inspection doesn’t involve taking packets and assembling files they are carrying, the packets themselves can be split into fragments as they pass from network to network. These fragments are reassembled by the FortiGate unit before examination.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats.

IPS signatures

IPS signatures can detect malicious network traffic. For example, the Code Red worm attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can detect traffic attempting to exploit this vulnerability. IPS may also detect when infected systems communicate with servers to receive instructions.

IPS recommendations

Enable IPS scanning at the network edge for all services.
Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new IPS signatures as soon as they are available.
Your FortiGate unit includes IPS signatures written to protect specific software titles from DoS attacks. Enable the signatures for the software you have installed and set the signature action to Block.
You can view these signatures by going to Security Profiles > Intrusion Protection and selecting the [View IPS Signatures] link.
Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.

Suspicious traffic attributes

Network traffic itself can be used as an attack vector or a means to probe a network before an attack. For example, SYN and FIN flags should never appear together in the same TCP packet. The SYN flag is used to initiate a TCP session while the FIN flag indicates the end of data transmission at the end of a TCP session.

The FortiGate unit has IPS signatures that recognize abnormal and suspicious traffic attributes. The SYN/FIN combination is one of the suspicious flag combinations detected in TCP traffic by the TCP.BAD.FLAGS signature.

The signatures that are created specifically to examine traffic options and settings, begin with the name of the traffic type they are associated with. For example, signatures created to examine TCP traffic have signature names starting with TCP.

Application control

While applications can often be blocked by the ports they use, application control allows convenient management of all supported applications, including those that do not use set ports.

Application control recommendations

Some applications behave in an unusual manner in regards to application control. For more information, see Application considerations on page 2145.
By default, application control allows the applications not specified in the application control list. For high security networks, you may want to change this behavior so that only the explicitly allowed applications are permitted.

SSL inspection

Regular web filtering can be circumvented by using https:// instead of http://. By enabling this feature, the FortiGate can filter traffic that is using the HTTPS protocol.

Content inspection and filtering

When the FortiGate unit buffers the packets containing files, email messages, web pages, and other similar files for reassembly before examining them, it is performing content inspection. Traffic inspection, on the other hand, is accomplished by the FortiGate unit examining individual packets of network traffic as they are received.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats. Be sure to understand the effects of the changes before using the suggestions.

AntiVirus

The FortiGate antivirus scanner can detect viruses and other malicious payloads used to infect machines. The FortiGate unit performs deep content inspection. To prevent attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and uncompress content that has been compressed. Patented Compact Pattern Recognition Language (CPRL) allows further inspection for common patterns, increasing detection rates of virus variations in the future.

AntiVirus recommendations

Enable antivirus scanning at the network edge for all services.
Use FortiClient endpoint antivirus scanning for protection against threats that get into your network.
Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new antivirus signatures as soon as they are available.
Enable the Extended Virus Database if your FortiGate unit supports it.
Examine antivirus logs periodically. Take particular notice of repeated detections. For example, repeated virus detection in SMTP traffic could indicate a system on your network is infected and is attempting to contact other systems to spread the infection using a mass mailer.
The builtin–patterns file filter list contains nearly 20 file patterns. Many of the represented files can be executed or opened with a double-click. If any of these file patterns are not received as a part of your normal traffic, blocking them may help protect your network. This also saves resources since files blocked in this way do not need to be scanned for viruses.
To conserve system resources, avoid scanning email messages twice. Scan messages as they enter and leave your network or when clients send and retrieve them, rather than both.
Enable Treat Windows Executables in Email Attachments as Viruses if you are concerned about incoming ‘.exe’ files.

FortiGuard Web Filtering

The web is the most popular part of the Internet and, as a consequence, virtually every computer connected to the Internet is able to communicate using port 80, HTTP. Botnet communications take advantage of this open port and use it to communicate with infected computers. FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

FortiGuard Web Filtering recommendations

Enable FortiGuard Web Filtering at the network edge.
Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous.
In the email filter profile, enable IP Address Check in FortiGuard Email Filtering. Many IP addresses used in spam messages lead to malicious sites; checking them will protect your users and your network.

DNS Filter

The following filtering options can be configured in a DNS Filter profile:

Blocking DNS requests to known Botnet C&C addresses

A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature. You can view the botnet list by going to System > FortiGuard > Botnet Definitions.

When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub- domains are also blocked.

To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static URL filter

The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If exempted, access to the site is allowed even if another method is used to block it.

DNS–based web filtering

This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow access or monitor access based on FortiGuard category.

Anti–Spam

Spam is a common means by which attacks are delivered. Users often open email attachments they should not, and infect their own machine. The FortiGate email filter can detect harmful spam and mark it, alerting the user to the potential danger.

Anti–Spam filter recommendations

Enable email filtering at the network edge for all types of email traffic.
Use FortiClient endpoint scanning for protection against threats that get into your network.
Subscribe to the FortiGuard Anti-Spam Service.

Data Leak Prevention

Most security features on the FortiGate unit are designed to keep unwanted traffic out of your network while Data Leak Prevention (DLP) can help you keep sensitive information from leaving your network. For example, credit card numbers and social security numbers can be detected by DLP sensors.

DLP recommendations

Rules related to HTTP posts can be created, but if the requirement is to block all HTTP posts, a better solution is to use application control or the HTTP POST Action option in the web filter profile.
While DLP can detect sensitive data, it is more efficient to block unnecessary communication channels than to use DLP to examine it. If you don’t use instant messaging or peer-to-peer communication in your organization, for example, use application control to block them entirely.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting and logging

Leave a reply

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.

3. In the filter options, enable Packet Logging.

4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

1. Log in to the CLI.

2. Enter the following to start configuring additional settings:

config ips settings

set ips-packet-quota <integer>

set packet-log-history <integer>

set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member”

OR type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.

2. Use execute ping to see if you can ping to the log device.

3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near… (local/PostgreSQL)

Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

MySQL is running and using the default port 3306.
You have created an empty database and a user who has read/write permissions for the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

1. #Mysql –u root –p

2. mysql> Create database fazlogs;

3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;

4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

select Cancel and back up all log files; then select Rebuild to blank and rebuild the database.
select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

config system global

set miglogd-children <integer>

end

Advanced logging

Leave a reply

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

The following topics are included in this section:

Configuring logging to multiple Syslog servers
Using Automatic Discovery to connect to a FortiAnalyzer unit
Activating a FortiCloud account for logging purposes
Viewing log storage space
Customizing and filtering log messages
Viewing logs from the CLI
Configuring NAC quarantine logging
Logging local-in policies
Tracking specific search phrases in reports
Reverting modified report settings to default settings

Configuring logging to multiple Syslog servers

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM.

To enable logging to multiple Syslog servers

1. Log in to the CLI.

2. Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

3. Enter the following commands to configure the second Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

4. Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set traffic {enable | disable}

set web {enable | disable}

set url-filter {enable | disable}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

1. Log in to the CLI.

2. Enter the following command syntax:

config log fortianalyzer setting set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in System > Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at System > Dashboard and that you have located the License Information widget.

1. In the License Information widget, select Activate in the FortiCloud section.

The Registration window appears. From this window, you create the login credentials that you will use to access the account.

2. Select Create Account and enter then information for the login credentials.

After entering the login credentials, you are automatically logged in to your FortiCloud account.

3. Check that the account has been activated by viewing the account status from the License Information widget. If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom “root”: 30MB/22583MB

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Traffic Log > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right- click menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

OS Name
OS Version
Policy ID
Src (Source IP)

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Traffic Log > Forward Traffic.

1. On the Forward Traffic page, right click anywhere on a column title.

2. Right click on a column title, and mouse over Column Settings to open the list.

3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.

4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.

5. Click outside the menu, and wait for the page to refresh with the new settings in place.

6. Select the funnel icon next to the word Src in the title bar of the Src column.

7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.

8. Click Apply, and wait for the page to reload.

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.

execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.

2. Enter the following to view the log messages:

execute log display

The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

Configuring NAC quarantine logging

NAC quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

To configure NAC quarantine logging

1. Go to Policy & Objects > Policy > IPv4.

2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.

3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.

4. Select OK.

5. Log in to the CLI.

6. Enter the following to enable NAC quarantine in the DLP sensor:

config antivirus profile edit <profile_name>

config nac-quar log enable end

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable end

The Local-In Policy page will then be available in Policy & Objects > Policy > Local In. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Config > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity Traffic Direction Description

FortiGuard update annouce- ments

FortiGuard update requests

IN All push announcements of updates that are coming from the

FortiGuard system. For example, IPS or AV updates.

OUT All updates that are checking for antivirus or IPS as well as other

FortiGuard service updates.

Firewall authen- tication

IN The authentication made using either the web-based manager or CLI.

Traffic activity Traffic Direction Description

Central man- agement (a FortiGate unit being managed by a FortiMan- ager unit)

IN The access that a FortiManager has managing the FortiGate unit.

DNS IN All DNS traffic.

DHCP/DHCP Relay

IN All DHCP and/or DHCP Relay traffic.

HA (heart beat sync policy)

IN/OUT For high-end platforms with a backplane heart beat port.

HA (Session sync policy)

IN/OUT

This will get information from the CMDB and updated by sessi sync daemon.

CAPWAP

This activity is logged only when a HAVE_CAPWAP is defined.

Radius

This is recorded only within FortiCarrier.

NETBIOS forward

Any interface that NETBIOS forward is enabled on.

RIP

OSPF

VRRP

BFD

IGMP

This is recorded only when PIM is enabled.

PIM

This is recorded only when PIM is enabled.

BGP

This is recorded only when config bgp and bgp neightbor is enabled in the CLI.

WCCP policy

Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.

WAN Opt/ Web

Cache

IN Any interface where WAN Opt is enabled.

WANOpt Tunnel IN This is recorded when HAVE_WANOPT is defined.

Traffic activity

Traffic Direction

Description

SSL–VPN

Any interface from a zone where the action in the policy is SSL VPN.

IPSEC

L2TP

PPTP

VPD

This is recorded only when FortiClient is enabled.

Web cache db test facility

This is recorded only when WA_CS_REMOTE_TEST is defined.

GDBserver

This is recorded only when debug is enabled.

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

1. Log in to the CLI and enter show webfilter profile default.

This provides details about the webfilter profile being used by the security policy. In this example, the details

(shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default config webfilter profile

edit “default”

set comment “default web filtering” set inspection-mode flow-based

set options https-scan set post-action comfort

config web

set safe-search url end

config ftgd-wf config filters

edit 1

set action block set category 2

next edit 2

set action block set category 7

next edit 3

set action block set category 8

2. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.

config webfilter profile edit default

config web

set log-search enable

set keyword-match “fortinet” “easter” “easter bunny” end

end

3. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.

You can tell that the test works by going to Log & Report > Traffic Log > Forward Traffic and viewing the log messages.

Reverting modified report settings to default settings

If you need to go back to the original default report settings, you can easily revert to those settings in the Report menu. Reverting to default settings means that your previously modified report settings will be lost.

To revert back to default report settings, in Log & Report > Report > Local, select Customize, and then Restore Defaults from the top navigation. This may take a minute or two. You can also use the CLI command execute report-config reset to reset the report to defaults.

If you are having problems with report content being outdated or incorrect, especially after a firmware update, you can recreate the report database using your current log information with the CLI command execute report recreate-db.

Logging and reporting for large networks

Leave a reply

Logging and reporting for large networks

This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology.

Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

Modifying multiple FortiGate units’ system memory default settings

When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap enable

set multicast-traffic enable set scanerror enable

set app-ctrl enable end

4. Repeat steps 2 and 3 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Modifying multiple FortiGate units’ hard disk default log settings

You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage Internal

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

4. Repeat the steps 2 to 4 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Testing the modified log settings

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning

generating an IPS log message generating an anomaly log message

generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification

generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

Configuring logging to multiple FortiAnalyzer units

The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

To configure multiple FortiAnalyzer units

1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

config log fortianalyzer setting set status enable

set server 172.20.120.22 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

2. Disable the features that you do not want logged, using the following example command syntax. You can view the

CLI Reference to see what commands are available.

config log fortianalyzer filter set traffic (enable | disable)

… end

3. Enter the following commands for the second FortiAnalyzer unit:

config log fortianalyzer2 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

4. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter set web (enable | disable)

… end

5. Enter the following commands for the last FortiAnalyzer unit:

config log fortianalyzer3 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

6. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter

set web-filter (enable | disable)

… end

7. Test the configuration by using the procedure, “Testing the modified log settings”.

8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

Configuring logging to the FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. Below is a sample configuration with multiple examples of significant customizations that you can make to tailor reports for larger networks.

Creating datasets

You need to create a new dataset for gathering information about HA, admin activity and configuration changes.

Creating datasets requires SQL knowledge.

To create the datasets

1. Log in to the CLI.

2. Enter the following command syntax:

config report dataset edit ha

set query “select subtype_ha count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_ha order by totalnum desc”

3. Create a dataset for the admin activity, that includes log ins and log outs from the three FortiGate administrators.

set query “select subtype_admin count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

admin order by totalnum desc”

4. Create a dataset for the configuration changes that the administrators did for the past 24 hours.

set query “select subtype_config count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

config order by totalnum desc”

end

Creating charts for the datasets

1. Log in to the CLI.

2. Enter the following to create a new chart:

config report chart edit ha.24h

set type table

set period last24h set dataset ha

set category event set favorite no

set style auto

set title “24 Hour HA Admin Activity”

end

Uploading the corporate images

You need to upload the corporate images so that they appear on the report’s pages, as well as on the cover page. Uploading images is only available in the web-based manager.

To upload corporate images

1. Go to Log & Report > Report > Local.

2. Select the Image icon and drag it to a place on the page.

3. The Graphic Chooser window appears.

4. Select Upload and then locate the image that you want to upload and upload the image.

The images are automatically uploaded and saved.

5. Repeat step 4 until the other corporate images are uploaded.

6. Select Cancel to close the Graphic Chooser window and return to the page.

The images can then be placed as you like by reopening the Graphic Chooser as in step 2.

Adding a new report cover and page

You need to add a new cover for the report, as well as a new page that will display the HA activity, admin activity and configuration changes.

To add and customize a new report cover

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. In Sections, select the current default report section, and enter Report Cover in the field that appears; then press Enter to save the change.

4. Remove all content from the Report Cover section, and select the image icon and drag it into the main portion of the cover page; select a cover page image and then select OK.

5. Select the font size you want, and drag the text icon into the area beneath the image to add a title or explanation for the cover page.

6. Select Save to save the new report cover.

To add and customize a new page

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. Select Sections, and select Create New to add a new section to the report. Name it Report Content, and press Enter, and OK to close the menu.

4. At the bottom of the editing window is the Section selection, where each Section is represented by a box. Select the second box.

5. Edit the content for the report as you like.

For a simpler report structure, make use of the ‘FortiGate UTM Security Analysis Report’ charts, which automatically format themselves and fill in all necessary information.

For more complex reports, add headings, default and custom charts, and explanatory text.

6. Select Save to save the new report content.

The report will automatically combine all sections. You can use headers and text to more clearly separate parts of the report, and all properly configured charts have titles built-in.

Best Practices: Log management

Leave a reply

Best Practices: Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

what FortiGate activities you want and/or need logged (for example, security features)
the logging device best suited for your network structure
if you want or require archiving of log files
ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

1. Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.

2. Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.

3. If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the Applications FortiView dashboard, or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.

4. Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.

What are FortiOS reports?

Leave a reply

What are FortiOS reports?

FortiOS reports are configured from logs stored on the FortiGate unit’s hard drive. These reports, generated by the FortiGate unit itself, provide a central location for both configuring and generating reports. A default FortiOS report, called the FortiGate Security Feature Daily Activity Report, is available for you to modify to your requirements. The default report provides a way to quickly and easily set up your own report from within the web-based manager. The default FortiOS report is a report that compiles security feature activity from various security-related logs, such as virus and attack logs.

FortiOS reports consist of multiple parts, regardless of whether its the default FortiOS report or a report that you have configured from scratch, and these parts are configured separately and added to the layout. These parts of a FortiOS report are:

charts (including datasets within the charts themselves)
themes (including styles which are within the themes themselves)
images
layout

The parts of a FortiOS report

Charts are used to display the log information in a clear and concise way using graphs and tables. Charts contain datasets, which are SQLite queries that help the FortiGate unit to add specific log information into the chart using the log information that is stored in the SQLite database on the local hard disk. If you want to configure a chart, you must configure the dataset first. Datasets are required for each chart, and if there is no dataset included in a chart, the chart will not be saved.

Themes provide a one-step style application for report layouts. Themes contain various styles, including styles for the table of contents, headings, headers and footers, as well as the margins of the report’s pages. Themes are applied to layouts. The styles that are applied to themes are configured separately in the CLI.

You can easily upload your company or organization’s logo to use within a report. By uploading your company or organization’s logo and applying it to a report, you provide a personalized report that is recognizable as your company or organization’s report. The image must be in JPEG, JPG or PNG format.

Layouts provide a way to incorporate the charts, images, and themes that are configured to create a formatted report. A layout is used as a template by the FortiGate unit to compile and then generate the report. The layout is also coded in the CLI.

What you can do with the default FortiOS report

You can reset the reports you have configured, as well as the default FortiOS report you modified, to default settings. When you reset reports to default settings, any configured reports that you created from scratch are lost. The execute report-config reset command resets the reports to default settings. If you are going to reset the reports to their default settings, you should back up the current configuration file before doing so, in the event you want to revert back to the reports you previously created and/or modified.

The default FortiOS report can be modified so that it meets your requirements for a report. This default report is located in Log & Report > Report > Local. Select Customize to edit it.

The FortiOS default report contains several pages, which appear as stacked boxes in the editing interface. Each page contains one or multiple charts (depending on the configuration of that page in the interface), and each page in the finished report will contain information about the FortiGate unit at the top of each section.

You can select Run Now on the Local page to immediately create a report with the current layout and design. More complex reports may take longer to generate. After generating a report, you can view it by selecting it from the list below Run Now. Historical reports will be marked as ‘Scheduled’ if created automatically, or ‘On Demand’ if created by selecting Run Now.

How to modify the default FortiOS report

The following is a sample modification of the default FortiOS report, which includes adding an image.

1. In Log & Report > Report > Config, modify the page by adding a new Chart, which will appear on its own page in the final report.

2. Add an information Text field below the chart.

You should always save the changes you make by selecting Save; otherwise, the changes you just made will be lost.

3. Modify the header to add the company’s image.

The company’s image will appear in all headers throughout the report. If you select Save now, it will appear on all the report’s pages.

4. Add other charts to the list so they will appear within the report.

Charts marked as ‘FortiGate Security Feature Security Analysis Report’ are autogenerated and take up an entire page or multiple pages on their own. All other charts take up half a page, so two consecutive charts will appear on the same page in the report.

5. Modify the report settings so that the report is generated every Monday at 6 pm, and is emailed to specific employees in the company.

Reports can be sent to others after the report has been generated, if Messaging Servers are configured.

6. Test the report’s modified settings, by selecting Run Now in the Config page; after it is generated, go to Log & Report > Report > Local and view the report.

You can tell that it has been generated because the Bandwidth Usage page’s charts will be populated, and the text added below each chart appears as well.

Reports

Leave a reply

Reports

Reports provide a way to analyze log data without manually going through a large amount of logs to get to the information you need. This section explains how to configure a FortiOS report and how to modify the existing default FortiOS Security Features report. The FortiOS default Security Features report is a report that gathers security feature activity information and compiles it into a report. This section also explains how to view these reports.

Reports provide a clear, concise overview of what is happening on your network based on log data, without manually going through large amounts of logs. Reports can be configured on a FortiGate unit or a FortiAnalyzer unit. However, in this document only FortiOS reports are explained. FortiOS reports are the reports that are generated on the FortiGate unit. FortiAnalyzer reports are configured on a FortiAnalyzer unit and for information about those reports, see the FortiAnalyzer Administration Guide.

Disk or memory logging must be enabled for reporting to be enabled. Local Reporting can then be enabled in Log & Report > Log Settings, in order to view and edit reports.

Change of FortiGuard Filtering Port to mitigate Internet link flaps

Leave a reply

I have a friend that has some FortiGates at his business. I have been helping him troubleshoot some random WAN1 port flapping issues. Well, after doing some research and looking through the documentation I found the below from Fortinet. Guess what internet provider he uses…..you’re right….COMCRAP….I mean, Comcast.

Some modems, ComCast for example, are known to drop the network connection or reboot if they receive non-DNS traffic on UDP port 53 which is well known DNS port, but which is also used to connect to the FortiGuard service.

An example of log messages that can be observed in logs on FortiGate is shown below:

date=2099-05-03 time=17:12:50 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=UP msg=”Link monitor: Interface wan1 was turned up”
date=2099-05-03 time=17:12:47 logid=0100020099 type=event subtype=system level=information vd=”root” logdesc=”Interface status changed” action=interface-stat-change status=DOWN msg=”Link monitor: Interface wan1 was turned down”

Note that it is not necessary that the Link Monitor feature is configured, this log message will appear in logs each time the physical link is lost.

This cause can be confirmed by connecting a switch between the FortiGate and a modem.

If the switch has logging functionality then the interface facing the FortiGate will be stable while the interface connected to a modem will be flapping.

The workaround is to use port 8888 for FortiGuard. This can be changed from GUI or CLI.

GUI

System > FortiGuard > Filtering

Select 8888 as “FortiGuard Filtering Port”

CLI

config system fortiguard
set port 8888
end