Category Archives: FortiOS 6

SIP messages and media protocols

Leave a reply

SIP messages and media protocols

This section provides an overview of SIP messages and how they communicate information about SIP sessions and how SDP, RTP, and RTCP fits in with SIP communications.

SIP uses clear text messages to start, maintain, and end media sessions between SIP user agent clients (UACs) and user agent servers (UASs). These messages form a SIP dialog. A typical SIP dialog begins with an INVITE request message sent from a UAC to another UAC or to a UAS. The first INVITE request message attempts to start a SIP call and includes information about the sending UAC and the receiving UAC as well as information about the communication session.

If only two UACs are involved as shown below, the receiving UAC (Phone B) responds with a 180 Ringing and then a 200 OK SIP response message that informs Phone A that Phone B received and accepted the request. Phone A then sends an ACK message to notify Phone B that the SIP response was received. Phone A and Phone B can then participate in the RTP media session set up by the SIP messages.

When the phone call is complete, one of the UACs (in the example Phone B) hangs up sending a BYE request message to Phone A. Phone A then sends a 200 OK response to Phone B acknowledging that the session has ended.

Basic SIP dialog between two UACs

SIP Phone A

(Sending UAC

PhoneA@10.31.101.20)

 SIP Phone B

(Receiving UAC

PhoneB@10.31.101.30)
  1. INVITE (SIP request message to invite SIP Phone B to start a SIP session).
  2. 180 Ringing (SIP ringing response to the INVITE request).
  3. 200 OK (SIP response to the INVITE request to inform SIP Phone A

that the request is accepted).

  1. ACK (SIP request message to confirm that

SIP Phone A received the response from SIP Phone B).

  1. RTP Media session between Phone Aand Phone B.
  2. BYE (SIP request message from SIP Phone B to end the SIP session).
  3. 200 OK (SIP response to the BYE request to end the SIP session).

If a UAS in the form of a SIP proxy server is involved, similar messages are sent and received, but the proxy server participates as an intermediary in the initial call setup. In the example below the SIP proxy server receives the INVITE request from Phone A and forwards it to Phone B. The proxy server then sends a 100 Trying response to Phone A. Phone B receives the INVITE request and responds with a 180 Ringing and then a 200 OK SIP response message. These messages are received by the proxy server and forwarded to Phone A to notify Phone A that Phone B received and accepted the request. Phone A then sends an ACK message to notify Phone B that the SIP response was received. This response is received by the proxy server and forwarded to Phone B. Phone A and Phone B can then participate in the media session independently of the proxy server.

When the phone call is complete Phone B hangs up sending a BYE request message to Phone A. Phone A then sends a 200 OK response to Phone B acknowledging that the session has ended.

Basic SIP dialog between UACs with a SIP proxy server UAS

  1. INVITE (Forwarded by the UAS to Phone B.)
  2. 180 Ringing (SIP ringing response to the INVITE request.)
  3. 200 OK (SIP response to the INVITE request to inform Phone A that the request is accepted.)
  4. BYE (SIP request message from Phone B to end the SIP session.)

The SIP messages include SIP headers that contain names and addresses of Phone A, Phone B and the proxy server. This addressing information is used by the UACs and the proxy server during the call set up.

The SIP message body includes Session Description Protocol (SDP) statements that Phone A and Phone B use to establish the media session. The SDP statements specify the type of media stream to use for the session (for example, audio for SIP phone calls) and the protocol to use for the media stream (usually the Real Time Protocol (RTP) media streaming protocol).

Hardware accelerated RTP processing

Phone A includes the media session settings that it would like to use for the session in the INVITE message. Phone B includes its response to these media settings in the 200 OK response. Phone A’s ACK response confirms the settings that Phone A and Phone B then use for the media session.

Hardware accelerated RTP processing

FortiGates can offload RTP packet processing to network processor (NP) interfaces. This acceleration greatly enhances the overall throughput and resulting in near speed RTP performance.

SIP request messages

SIP sessions always start with a SIP request message (also just called a SIP request). SIP request messages also establish, maintain, and terminate SIP communication sessions. The following table lists some common SIP request message types.

Common SIP request message types

Message Type Description
INVITE A client sends an INVITE request to invite another client to participate in a multimedia session. The INVITE request body usually contains the description of the session.
ACK The originator of an INVITE message sends an ACK request to confirm that the final response to an INVITE request was received. If the INVITE request did not contain the session description, it must be included in the ACK request.
PRACK In some cases, SIP uses provisional response messages to report on the progress of the response to a SIP request message. The provisional response messages are sent before the final SIP response message. Similar to an ACK request message, a PRACK request message is sent to acknowledge that a provisional response message has been received.
OPTIONS The UA uses OPTIONS messages to get information about the capabilities of a SIP proxy. The SIP proxy server replies with a description of the SIP methods, session description protocols, and message encoding that are supported.
BYE A client sends a BYE request to end a session. A BYE request from either end of the SIP session terminates the session.
CANCEL A client sends a CANCEL request to cancel a previous INVITE request. A CANCEL request has no effect if the SIP server processing the INVITE sends a final response to the INVITE before receiving the CANCEL.

 

response messages

Message Type Description
REGISTER A client sends a REGISTER request to a SIP registrar server with information about the current location (IP address and so on) of the client. A SIP registrar server saves the information it receives in REGISTER requests and makes this information available to any SIP client or server attempting to locate the client.
Info For distributing mid-session signaling information along the signaling path for a SIP call. I
Subscribe For requesting the current state and state updates of a remote node.
Notify Informs clients and servers of changes in state in the SIP network.
Refer Refers the recipient (identified by the Request-URI) to a third party according to the contact information in the request.
Update Opens a pinhole for new or updated SDP information.
Response codes

(1xx, 202, 2xx,

3xx, 4xx, 5xx,

6xx)

 Indicates the status of a transaction. For example: 200 OK, 202 Accepted, or 400 Bad Request.

SIP response messages

SIP response messages (often just called SIP responses) provide status information in response to SIP request messages. All SIP response messages include a response code and a reason phrase. There are five SIP response message classes. They are described below.

There are also two types of SIP response messages, provisional and final. Final response messages convey the result of the request processing, and are sent reliably. Provisional responses provide information on the progress of the request processing, but may not be sent reliably. Provisional response messages start with 1xx and are also called informational response messages.

Informational (or provisional)

Informational or provisional responses indicate that a request message was received and imply that the endpoint is going to process the request. Information messages may not be sent reliably and may not require an acknowledgment.

If the SIP implementation uses Provisional Response Acknowledgment (PRACK) (RFC 3262) then informational or provisional messages are sent reliably and require a PRACK message to acknowledge that they have been received.

Informational responses can contain the following reason codes and reason phrases:

100 Trying

  • Ringing
  • Call is being forwarded
  • Queued

SIP response messages

  • Session progress

Success

Success responses indicate that a request message was received, understood, and accepted. Success responses can contain the following reason codes and reason phrases:

200 OK

202 Accepted

Redirection

Redirection responses indicate that more information is required for the endpoint to respond to a request message. Redirection responses can contain the following reason codes and reason phrases:

  • Multiple choices
  • Moved permanently
  • Moved temporarily

305 Use proxy

380 Alternative service

Client error

Client error responses indicate that a request message was received by a server that contains syntax that the server cannot understand (i.e. contains a syntax error) or cannot comply with. Client error responses include the following reason codes and reason phrases:

400 Bad request               401 Unauthorized

402 Payment required          403 Forbidden

404 Not found                405 Method not allowed

406 Not acceptable            407 Proxy authentication required

408 Request time-out          409 Conflict

410 Gone                      411 Length required

413 Request entity too large  414 Request-URL too large

415 Unsupported media type   420 Bad extension

  • Temporarily not available
  • Call leg/transaction does not exist
  • Loop detected

484 Address incomplete        483 Too many hops

486 Busy here                 485 Ambiguous

488 Not acceptable here       487 Request canceled

Server error

Server error responses indicate that a server was unable to respond to a valid request message. Server error responses include the following reason codes and reason phrases:

  • Server internal error
  • Not implemented
  • Bad gateway

502 Service unavailable

  • Gateway time-out
  • SIP version not supported

message start line

Global failure

Global failure responses indicate that there are no servers available that can respond to a request message. Global failure responses include the following reason codes and reason phrases:

600 Busy everywhere

  • Decline
  • Does not exist anywhere 606 Not acceptable

SIP message start line

The first line in a SIP message is called the start line. The start line in a request message is called the requestline and the start line in a response message is called the status-line.

Request-line The first line of a SIP request message. The request-line includes the SIP message type, the SIP protocol version, and a Request URI that indicates the user or service to which this request is being addressed. The following example request-line specifies

the INVITE message type, the address of the sender of the message (inviter@example.com), and the SIP version:

INVITE sip:inviter@example.com SIP/2.0
Status-line The first line of a SIP response message. The status-line includes the SIP protocol version, the response code, and the reason phrase. The example status-line includes the SIP version, the response code (200) and the reason phrase (OK).

SIP/2.0 200 OK

SIP headers

Following the start line, SIP messages contain SIP headers (also called SIP fields) that convey message attributes and to modify message meaning. SIP headers are similar to HTTP header fields and always have the following format:

<header_name>:<value>

SIP messages can include the SIP headers listed in the following table:

SIP headers

SIP headers

SIP Header Description
Allow Lists the set of SIP methods supported by the UA generating the message. All methods, including ACK and CANCEL, understood by the UA MUST be included in the list of methods in the Allow header field, when present. For example:

Allow: INVITE, ACK, OPTIONS, CANCEL, BYE
Call-ID A globally unique identifier for the call, generated by the combination of a random string and the sender’s host name or IP address. The combination of the To, From, and Call-ID headers completely defines a peer-to-peer SIP relationship between the sender and the receiver. This relationship is called a SIP dialog.

Call-ID: ddeg45e793@10.31.101.30
Contact Included in SIP request messages, the Contact header contains the SIP URI of the sender of the SIP request message. The receiver uses this URI to contact the sender.

For example:

Contact: Sender <sip:sender@10.31.100.20>t
Content-Length The number of bytes in the message body (in bytes).

Content-Length: 126
Content-Type In addition to SIP headers, SIP messages include a message body that contains information about the content or communication being managed by the SIP session. The Content-Type header specifies what the content of the SIP message is. For example, if you are using SIP with SDP, the content of the SIP message is SDP code.

Content-Type: application/sdp
CSeq The command sequence header contains a sequence integer that is increased for each new SIP request message (but is not incremented in the response message). This header also includes the request name found in the request message requestline. For example:

CSeq: 1 INVITE
Expires Gives the relative time after which the message (or content) expires. The actual time and how the header is used depends on the SIP method. For example:

Expires: 5
From Identifies the sender of the message. Responses to a message are sent to the address of the sender. The following example includes the sender’s name (Sender) and the sender’s SIP address (sender@10.31.101.20.):

From: Sender <sip:sender@10.31.101.20>

 

headers

SIP Header Description
Max-forwards An integer in the range 0-255 that limits the number of proxies or gateways that can forward the request message to the next downstream server. Also called the number of hops, this value is decreased every time the message is forwarded. This can also be useful when the client is attempting to trace a request chain that appears to be failing or looping in mid-chain.

For example: Max-Forwards: 30
P-AssertedIdentity The P-Asserted-Identity header is used among trusted SIP entities to carry the identity of the user sending a SIP message as it was verified by authentication. See RFC 3325. The header contains a SIP URI and an optional display-name, for example:

P-Asserted-Identity: “Example Person” <sip:10.31.101.50>
RAck Sent in a PRACK request to support reliability of information or provisional response messages. It contains two numbers and a method tag. For example:

RAck: 776656 1 INVITE
Record-Route Inserted into request messages by a SIP proxy to force future requests to be routed through the proxy. In the following example, the host at IP address 10.31.101.50 is a SIP proxy. The lr parameter indicates the URI of a SIP proxy in Record-Route headers.

Record-Route: <sip:10.31.101.50;lr>
Route Forces routing for a request message through one or more SIP proxies. The following example includes two SIP proxies:

Route: <sip:172.20.120.10;lr>, <sip:10.31.101.50;lr>
RSeq The RSeq header is used in information or provisional response messages to support reliability of informational response messages. The header contains a single numeric value. For example:

RSeq: 33456
To Identifies the receiver of the message. The address in this field is used to send the message to the receiver. The following example includes the receiver’s name (Receiver) and the receiver’s SIP address (receiver@10.31.101.30.):

To: Receiver <sip:receiver@10.31.101.30>
Via Indicates the SIP version and protocol to be used for the SIP session and the address to which to send the response to the message that contains the Via field. The following example Via field indicates to use SIP version 2, UDP for media communications, and to send the response to 10.31.101.20 using port 5060.

Via: SIP/2.0/UDP 10.31.101.20:5060

30

The SIP message body and SDP session profiles

The SIP message body and SDP session profiles

The SIP message body describes the session to be initiated. For example, in a SIP phone call the body usually includes audio codec types, sampling rates, server IP addresses and so on. For other types of SIP session the body could contain text or binary data of any type which relates in some way to the session. The message body is included in request and response messages.

Two possible SIP message body types:

l Session Description Protocol (SDP), most commonly used for SIP VoIP. l Multipurpose Internet Mail Extensions (MIME)

SDP is most often used for VoIP and FortiGates support SDP content in SIP message bodies. SDP is a textbased protocol used by SIP to control media sessions. SDP does not deliver media but provides a session profile that contains media details, transport addresses, parameter negotiation, and other session description metadata for the participants in a media session. The participants use the information in the session profile to negotiate how to communicate and to manage the media session. SDP is described by RFC 4566.

An SDP session profile always contains session information and may contain media information. Session information appears at the start of the session profile and media information (using the m= attribute) follows.

SDP session profiles can include the attributes listed in the following table.

SDP session profile attributes

Attribute Description
a= Attributes to extend SDP in the form a=<attribute> or a=<attribute>:<value>.
b= Contains information about the bandwidth required for the session or media in the form b=<bandwidth_type>:<bandwidth>.
c= Connection data about the session including the network type (usually IN for Internet), address type (IPv4 or IPv6), the connection source address, and other optional information. For example:

c=IN IPv4 10.31.101.20
i= A text string that contains information about the session. For example:

i=A audio presentation about SIP
k= Can be used to convey encryption keys over a secure and trusted channel. For example:

k=clear:444gdduudjffdee

The SIP message body and SDP session profiles

Attribute Description
m= Media information, consisting of one or more lines all starting with m= and containing details about the media including the media type, the destination port or ports used by the media, the protocol used by the media, and a media format description.

m=audio 49170 RTP 0 3 m-video 3345/2 udp 34 m-video 2910/2 RTP/AVP 3 56

Multiple media lines are needed if SIP is managing multiple types of media in one session (for example, separate audio and video streams).

Multiple ports for a media stream are indicated using a slash. 3345/2 udp means UDP ports 3345 and 3346. Usually RTP uses even-numbered ports for data with the corresponding one-higher odd ports used for the RTCP session belonging to the RTP session. So 2910/2 RTP/AVP means ports 2910 and 2912 are used for RTP and 2911 and 2913 are used for RTCP.

Media types include udp for an unspecified protocol that uses UDP, RTP or RTP/AVP for standard RTP and RTP/SAVP for secure RTP.
o= The sender’s username, a session identifier, a session version number, the network type (usually IN for Internet), the address type (for example, IPv4 or IPv6), and the sending device’s IP address. The o= field becomes a universal identifier for this version of this session description. For example:

o=PhoneA 5462346 332134 IN IP4 10.31.101.20
r= Repeat times for a session. Used if a session will be repeated at one or more timed intervals. Not normally used for VoIP calls. The times can be in different formats. For example:

r=7d 1h 0 25h r=604800 3600 0 90000
s= Any text that describes the session or s= followed by a space. For example:

s=Call from inviter
t= The start and stop time of the session. Sessions with no time restrictions (most VoIP calls) have a start and stop time of 0.

t=0 0
v= SDP protocol version. The current SDP version is 0 so the v= field is always:

v=0
z= Time zone adjustments. Used for scheduling repeated sessions that span the time between changing from standard to daylight savings time.

z=2882844526 -1h 2898848070 0

 

Example SIP messages

The following example SIP INVITE request message was sent by PhoneA to PhoneB. The first nine lines are the SIP headers. The SDP profile starts with v=0 and the media part of the session profile is the last line, starting with m=.

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneA <sip:PhoneA@10.31.101.20>

To: PhoneB <sip:PhoneB@172.20.120.30>

Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneA@10.31.101.20

Content-Type: application/sdp

Content-Length: 124 v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 s=Let’s Talk t=0 0

c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3

The following example shows a possible 200 OK SIP response message in response to the previous INVITE request message. The response includes 200 OK which indicates success, followed by an echo of the original SIP INVITE request followed by PhoneB’s SDP profile.

SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.31.101.50:5060

From: PhoneA <sip:PhoneA@10.31.101.20>

To: PhoneB <sip:PhoneB@172.20.120.30>

Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneB@10.31.101.30

Content-Type: application/sdp

Content-Length: 107 v=0 o=PhoneB 124333 67895 IN IP4 172.20.120.30 s=Hello! t=0 0

c=IN IP4 172.20.120.30 m=audio 3456 RTP 0

SIP can support multiple media streams for a single SIP session. Each media steam will have its own c= and m= lines in the body of the message. For example, the following message includes three media streams:

INVITE sip:PhoneB@172.20.120.30 SIP/2.0

Via: SIP/2.0/UDP 10.31.101.20:5060

From: PhoneA <sip:PhoneA@10.31.101.20>

To: PhoneB <sip:PhoneB@172.20.120.30>

Call-ID: 314159@10.31.101.20

CSeq: 1 INVITE

Contact: sip:PhoneA@10.31.101.20

Content-Type: application/sdp

Content-Length: 124 v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20 s=Let’s Talk

Example SIP messages

t=0 0 c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3 c=IN IP4 10.31.101.20 m=audio 49172 RTP 0 3 c=IN IP4 10.31.101.20 m=audio 49174 RTP 0 3


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Common SIP VoIP configurations

Leave a reply

Common SIP VoIP configurations

This section describes some common SIP VoIP configurations and simplified SIP dialogs for these configurations. This section also shows some examples of how adding a FortiGate affects SIP processing.

Peer to peer configuration

In the peer to peer configuration shown below, two SIP phones (in the example, FortiFones) communicate directly with each other. The phones send SIP request and response messages back and forth between each other to establish the SIP session.

SIP peer to peer configuration

Peer to peer configurations are not very common because they require the SIP phones to keep track of the names and addresses of all of the other SIP phones that they can communicate with. In most cases a SIP proxy or redirect server maintains addresses of a large number of SIP phones and a SIP phone starts a call by contacting the SIP proxy server.

SIP proxy server configuration

A SIP proxy server act as intermediary between SIP phones and between SIP phones (for example, two FortiFones) and other SIP servers. As shown below, SIP phones send request and response messages the SIP proxy server. The proxy server forwards the messages to other clients or to other SIP proxy servers. Proxy servers can hide SIP phones by proxying the signaling messages. To the other users on the VoIP network, the signaling invitations look as if they come from the SIP proxy server.

redirect server configuration

SIP in proxy mode

SIP proxy server

A common SIP configuration would include multiple networks of SIP phones. Each of the networks would have its own SIP server. Each SIP server would proxy the communication between phones on its own network and between phones in different networks.

SIP redirect server configuration

A SIP redirect server accepts SIP requests, maps the addresses in the request into zero or more new addresses and returns those addresses to the client. The redirect server does not initiate SIP requests or accept calls. As shown below, SIP clients send INVITE requests to the redirect server, which then looks up the destination address. The redirect server returns the destination address to the client. The client uses this address to send the INVITE request directly to the destination SIP client.

Common SIP VoIP configurations                                                                                    SIP registrar configuration

SIP in redirect model

SIP redirect server

SIP registrar configuration

A SIP registrar accepts SIP REGISTER requests from SIP phones for the purpose of updating a location database with this contact information. This database can then become a SIP location service that can be used by SIP proxy severs and redirect servers to locate SIP clients. As shown below, SIP clients send REGISTER requests to the SIP registrar.

 

SIP registrar and proxy servers

SIP with a FortiGate

Depending on your security requirements and network configuration FortiGates may be in many different places in a SIP configuration. This section shows a few examples.

The diagram below shows a FortiGate installed between a SIP proxy server and SIP phones on the same network. The FortiGate is operating in transparent mode so both the proxy server and the phones are on the same subnet. In this configuration, called SIP inspection without address translation, the FortiGate could be protecting the SIP proxy server on the private network by implementing SIP security features for SIP sessions between the SIP phones and the SIP proxy server.

Common SIP VoIP configurations                                                                                             SIP with a FortiGate

SIP network with FortiGate in transparent mode

call by proxy server. the INVITE request to Phone B.

The phone rings.

The phones and server use the same SIP dialogs as they would if the FortiGate was not present. However, the FortiGate can be configured to control which devices on the network can connect to the SIP proxy server and can also protect the SIP proxy server from SIP vulnerabilities.

The following diagram shows a FortiGate operating in NAT/Route mode and installed between a private network and the Internet. Some SIP phones and the SIP proxy server are connected to the private network and some SIP phones are connected to the Internet. The SIP phones on the Internet can connect to the SIP proxy server through the FortiGate and communication between SIP phones on the private network and SIP phones on the Internet must pass through the FortiGate.

SIP network with FortiGate in NAT/Route mode

  1. 1. SIP phone B registers with SIP Phone B
  2. SIP phone A registers with SIP proxy server

(PhoneB@172.20.120.30) SIP proxy server.       using the SIP proxy server virtual IP.

2. Phone A dials Phone B    
by sending an INVITE request to the SIP proxy server. 3. The proxy server looks up the SIP address of Phone B and forwards 4. Phone B is notified of an incoming

the INVITE request to Phone B.      call by proxy server – phone rings.

  1. RTP Media session opens between

Phone A and Phone B when Phone B answers

The phones and server use the same SIP dialog as they would if the FortiGate was not present. However, the FortiGate can be configured to control which devices on the network can connect to the SIP proxy server and can also protect the SIP proxy server from SIP vulnerabilities. In addition, the FortiGate has a firewall virtual IP that forwards packets sent to the SIP proxy server Internet IP address (172.20.120.50) to the SIP proxy server internal network IP address (10.31.101.30).

Since the FortiGate is operating in NAT/Route mode it must translate packet source and destination IP addresses (and optionally ports) as the sessions pass through the FortiGate. Also, the FortiGate must translate the addresses contained in the SIP headers and SDP body of the SIP messages. As well the FortiGate must open SIP and RTP pinholes through the FortiGate. SIP pinholes allow SIP signaling sessions to pass through the FortiGate between phones and between phones and SIP servers. RTP pinholes allow direct RTP communication between the SIP phones once the SIP dialog has established the SIP call. Pinholes are opened automatically by the FortiGate. Administrators do not add security policies for pinholes or for RTP sessions. All that is required is a security policy that accepts SIP traffic.

Opening an RTP pinhole means opening a port on a FortiGate interface to allow RTP traffic to use that port to pass through the FortiGate between the SIP phones on the Internet and SIP phones on the internal network. A pinhole only accepts packets from one RTP session. Since a SIP call involves at least two media streams (one from Phone A to Phone B and one from Phone B to Phone A) the FortiGate opens two RTP pinholes. Phone A sends RTP packets through a pinhole in port2 and Phone B sends RTP packets through a pinhole in port1. The FortiGate opens the pinholes when required by the SIP dialog and closes the pinholes when the SIP call is completed. The FortiGate opens new pinholes for each SIP call.

Each RTP pinhole actually includes two port numbers. The RTP port number as defined in the SIP message and an RTCP port number, which is the RTP port number plus 1. For example, if the SIP call used RTP port 3346 the FortiGate would create a pinhole for ports 3346 and 3347.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: Voice over IP (VoIP) protection

Leave a reply

Inside FortiOS: Voice over IP (VoIP) protection

The FortiOS SIP Application Layer Gateway (ALG) allows SIP calls to pass through a FortiGate by opening SIP and RTP pinholes and performing source and destination IP address and port translation for SIP and RTP packets.

There are a large number of SIP-related Internet Engineering Task Force (IETF) documents (Request for

Comments) that define behavior of SIP and related applications. FortiOS completly support RFC 3261 for SIP, RFC 4566 for SDP and RFC 3262 for Provisional Response Acknowledgment (PRACK). FortiOS also supports other SIP and SIP-related RFCs and performs Deep SIP message inspection for SIP statements defined in other SIP RFCs.

Advanced voice over IP protection

The FortiOS SIP Application Level Gateway (ALG) protects Voice over IP (SIP and SDP) services in Unified Communication and NGN/IMS networks with the following advanced VoIP defense mechanisms.

Deep SIP message inspection (also called deep SIP header inspection)

Verifies SIP and SDP header syntax and protects SIP servers from potential SIP Fuzzing attacks. When a violation is detected, FortiOS can impose counter measures and can also send automatic SIP response messages to offload processing from the SIP server.

SIP message rate limiting

Allows rate limiting of SIP messages per SIP request method. This prevents a SIP server from overload or from DoS attacks using particular SIP methods. For example, FortiOS can protect SIP servers from a flood of SIP REGISTER or INVITE messages, which can be caused by a DoS attack or a flash crowd.

RTP and RTCP pinholing

RTP pinholing only forwards RTP/RTCP packets that conform to the particular session description of the associated SIP dialog. If a SIP dialog is finished, FortiOS automatically closes the pinhole. RTP/RTCP pinholing is supported by FortiASIC acceleration and achieves high packet throughput at low jitter and delay.

Stateful SIP dialog tracking

FortiOS tracks SIP message sequences and prevents unwanted SIP messages that are not related to a particular SIP dialog. For instance, FortiOS can detect malicious SIP BYE messages that do not conform with the associated context of the SIP dialog.

Inspecting SIP over SSL/TLS (secure SIP)

Some SIP phones and SIP servers use SSL or TLS to encrypt SIP signalling traffic. To allow SIP over SSL/TLS calls to pass through the FortiGate unit, the encrypted signalling traffic has to be unencrypted and inspected. FortiOS intercepts and unencrypts and inspects the SIP packets. Allowed packets are then re-encrypted and forwarded to their destination.

Carrier grade

Inspecting SIP on multiple ports

FortiOS can detect and inspect SIP and SDP UDP and TCP sessions and SIP SSL sessions and ou can configure the ports that the SIP ALG monitors for these sessions. In addition you can configure two different ports for SIP UDP sessions and two different ports for SIP TCP sessions. The port configuration can be changed without affecting other parts of the SIP configuration.

Carrier grade protection

To protect VoIP infrastructure in carrier networks, FortiOS complies with typical carrier requirements for availability and robustness.

High availability

FortiOS supports a hot failover configuration with an active and a standby FortiGate device. FortiOS dynamically updates the context on the standby unit with SIP and RTP related data. This enables the standby unit to takeover stable voice calls in case of a planned or unplanned outage or failover of the active unit.

Geographical redundancy of SIP servers

In FortiOS SIP server cluster configurations the active and standby units can be deployed in different geographical locations. This configuration prevents a total outage of a SIP server infrastructure if one location goes offline. FortiOS supports the detection of SIP server outages (loss of heartbeats) and a redirect of SIP messages to the redundant SIP server location.

Logging and Reporting

FortiOS can log call related information internally or to an external SYSLOG or FortiAnalyzer unit. This includes event logs that show particular SIP-related attacks or syntax violations with SIP messages or logs that summarize call statistics.

NAT/NAPT

FortiOS performs configurable network address translation for IP addresses in the SIP and SDP header. The SIP ALG follows the configured NAT addresses in firewall virtual IPs and changes SIP header IP addresses accordingly. RTP NAT is controlled by SIP/SDP and the firewall policy. This allows translating an unlimited number of IP addresses without adding specific RTP policies.

Header manipulation

FortiOS SIP and SDP header manipulation supports SIP Network Address Translation (NAT) through FortiGate units configured as NAT firewalls.

NAT/NAPT

Hosted NAT traversal (HNT)

In many service provider networks, CPE firewall devices provide NAT without application awareness. This causes issues for SIP/SDP and RTP traffic, since UAC IP address information references to the internal network behind the far end firewall. VoIP calls cannot be connected successfully. FortiOS mitigates far end NAT issues (called Hosted NAT traversal) by probing the first RTP packet from the UAC and learning the far end NA(P)T binding.

FortiOS then updates the internal NAT binding for RTP accordingly.

IP address conservation for NAT

In case of SIP and RTP NAT IP the original address information can get lost after translating to the provisioned IP addresses. This IP address information is sometimes required for detailed billing records or debugging purposes. FortiOS can maintain the original IP address information in a translated SIP header by adding it to the SIP/SDP info line (i=) or by adding it to the original attribute (o=). Either option can be selected depending on the SIP billing environment.

SIP ALG activation

The FortiOS SIP ALG is applied to SIP traffic accepted by a firewall policy that includes a VoIP profile. The VoIP profile controls how the SIP ALG processes SIP sessions. FortiOS also includes a high-performance SIP session helper that provides limited SIP functionality. In most cases the SIP ALG should be used because the SIP ALG supports the complete range of FortiOS SIP features.

 

 

IP routing and forwarding
IPsec VPN encryption, decryption
 

Rate limiting and message blocking
Stateful SIP tracking
Message, header, and SDP syntax checking
Network surveillance
NAT and IP topology Hiding
Logging and debugging
 

Intrusion detection and prevention
Defined by Fortinet and enterprise signatures
SIP decoder identifies SIP sessions
 

Security policy
IPsec VPN encryption, decryption
Access control
 

Native (D)DoS prevention
Anomaly detection and prevention

SIP over IPv6

FortiOS, operating in NAT/Route and in transparent mode supports SIP over IPv6. The SIP ALG can process SIP messages that use IPv6 addresses in the headers, bodies, and in the transport stack. The SIP ALG cannot modify the IPv6 addresses in the SIP headers so FortiGate units cannot perform SIP or RTP NAT over IPv6 and also cannot translate between IPv6 and IPv4 addresses.

Platform support and hardware acceleration

FortiOS supports VoIP protection with the SIP ALG on all FortiGate hardware platforms. Whenever a FortiGate unit provides FortiASIC or SPM HW acceleration, the SIP ALG will use this option to fast-path RTP/RTCP traffic.

As well, since the SIP ALG is proxy-based, SIP control packets are not offloaded to NP4 or NP6 processors. But actual voice or other media traffic can be offloaded to NP4 or NP6 processors after the SIP session is established. Many FortiGate units also support low latencey hardware acceleration configurations that also enhance SIP voice transmission.

FortiGate hardware acceleration provides a high throughput solution at very low jitter and delay. FortiOS provides efficient and highly scalable protection for VoIP in emerging Enterprise and Carrier network. This complements Fortinet’s NGFW and UTM offerings. VoIP protection can be easily added to any firewall policy just by adding a VoIP profile.

Platform support and hardware acceleration

VoIP protection is supported in FortiAnalyzer and FortiManager. Centralized logging and management are essential for carrier and MSSP service provider and are influencing business case calculations.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting and logging – FortiOS 6

Leave a reply

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

  1. Go to Security Profiles > Intrusion Protection.
  2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.
  3. In the filter options, enable Packet Logging.
  4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

  1. Log in to the CLI.
  2. Enter the following to start configuring additional settings:

config ips settings set ips-packet-quota <integer> set packet-log-history <integer> set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR

type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member” OR

type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

  1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.
  2. Use execute ping to see if you can ping to the log device.
  3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL)

or

ERROR: syntax error at or near… (local/PostgreSQL)

  • Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
  • Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

  • The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

l MySQL is running and using the default port 3306. l You have created an empty database and a user who has read/write permissions for the database. l Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

  1. #Mysql –u root –p
  2. mysql> Create database fazlogs;
  3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;
  4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

l select Cancel and back up all log files; then select Rebuild to blank and rebuild the database. l select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command

in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

Troubleshooting and logging                                                                                          Logging daemon (Miglogd)

config system global set miglogd-children <integer> end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Advanced logging – FortiOS 6

2 Replies

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

The following topics are included in this section:

l Log backup and restore tools l Configuring logging to multiple Syslog servers l Using Automatic Discovery to connect to a FortiAnalyzer unit l Activating a FortiCloud account for logging purposes l Viewing log storage space l Customizing and filtering log messages l Viewing logs from the CLI l Configuring NAC Quarantine logging l Logging local-in policies l Tracking specific search phrases in reports l Interpreting and configuring FSSO syslog log messages

Log backup and restore tools

Local disk logs can now be backed up and restored to local files, using CLI commands:

execute log backup <filename> execute log restore <filename>

Restoring logs will wipe the current log and report content off the disk.

Logs can also now be exported to a USB storage device, as LZ4 compressed files, from both CLI and GUI. When you insert a USB drive into the FortiGate’s USB port, the USB menu will appear in the GUI. The menu shows the amount of storage on the USB disk, and the log file size, and you can select Copy to USB to copy the log data to the drive.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5

Logging and reporting for large networks – FortiOS 6

Leave a reply

Logging and reporting for large networks

This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology.

Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

Modifying multiple FortiGate units’ system memory default settings

When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

To modify the default system memory settings

  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

config log memory setting set status enable

end

  1. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

config log memory filter set forward-traffic enable set local-traffic enable set sniffer-traffic enable set anomaly enable set voip enable set multicast-traffic enable

set dns enable

end

  1. Repeat steps 2 and 3 for the other FortiGate units.
  2. Test the modified settings using the procedure below.

Modifying multiple FortiGate units’ hard disk default log settings

You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

To modify the default hard disk settings

  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

config log disk setting set ips-archive disable set status enable set max-log-file-size 1000 set storage Internal set log-quota 100 set report-quota 100

end

  1. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log eventfilter set event enable set system enable set vpn enable set user enable set router disable set wan-opt disable

end

  1. Repeat the steps 2 to 4 for the other FortiGate units.
  2. Test the modified settings using the procedure below.

Testing the modified log settings

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

  1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning generating an IPS log message generating an anomaly log message generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice generating a wanopt traffic log message with level – notification generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages generating a Forticlient message with level – information generating a URL block message with level – warning

  1. In the web-based interface, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

Configuring logging to multiple FortiAnalyzer units

The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

To configure multiple FortiAnalyzer units

  1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit: config log fortianalyzer setting set status enable set server 172.20.120.22 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100 set monitor-keepalive-period 120 set monitor-failure-retry-period 2000

end

  1. Disable the features that you do not want logged, using the following example command syntax. You can view the CLI Reference to see what commands are available.

config log fortianalyzer filter set forward-traffic (enable | disable) … end

  1. Enter the following commands for the second FortiAnalyzer unit: config log fortianalyzer2 setting set status enable set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100 set monitor-keepalive-period 120 set monitor-failure-retry-period 2000

end

  1. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer2 filter set event (enable | disable) … end

  1. Enter the following commands for the last FortiAnalyzer unit: config log fortianalyzer3 setting set status enable set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100 set monitor-keepalive-period 120 set monitor-failure-retry-period 2000

end

  1. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer3 filter set voip (enable | disable) … end

  1. Test the configuration by using the procedure, “Testing the modified log settings”.
  2. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

Configuring logging to the FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

To configure logging to the FortiCloud server

  1. Go to Dashboard and click Login next to FortiCloud in the License Information widget.
  2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
  3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
  4. To configure the upload time and interval, go to Log & Report > Log Settings.
  5. Under the Remote Logging and Archiving header, you can select your desired upload time.
  6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Logging and reporting for small networks – FortiOS 6

Leave a reply

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

To modify the default system memory settings

  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

config log memory setting set status enable

end

  1. The following example command syntax modifies which FortiGate features that are enabled for logging:

config log memory filter set forward-traffic enable set local-traffic enable set sniffer-traffic enable set anomaly enable set voip disable set multicast-traffic enable

set dns enable

end

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

To modify the default hard disk settings

  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

config log disk setting set ips-archive disable set status enable set max-log-file-size 1000 set storage FLASH set log-quota 100 set report-quota 100

end

  1. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log eventfilter set event enable set system enable set vpn disable set user enable set router disable set wan-opt disable

end

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

  1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning generating an IPS log message generating an anomaly log message generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice generating a wanopt traffic log message with level – notification generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages generating a Forticlient message with level – information generating a URL block message with level – warning

  1. In the web-based interface, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

Configuring logging to a FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

To configure logging to the FortiCloud server

  1. Go to Dashboard and click Login next to FortiCloud in the License Information widget. 2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
  2. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
  3. To configure the upload time and interval, go to Log & Report > Log Settings.
  4. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

To upload logs to a FortiAnalyzer unit

  1. Go to Log & Report > Log Settings.
  2. In the Remote Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.
  3. Select FortiAnalyzer (Daily at 00:00).
  4. Enter the FortiAnalyzer unit’s IP address in the IP Address
  5. To configure the daily upload time, open the CLI.
  6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

config log fortianalyzer setting set upload-interval {daily | weekly | monthly} set upload-time <hh:mm>

end

  1. To change the upload time, in the web-based manager, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

To test the FortiAnalyzer upload settings

  1. Go to Log & Report > Log Settings.
  2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change.

For example, the current time is 11:10 am, so Change now has the time 11:10.

  1. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the FortiAnalyzer’s interface.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Best practices: Log management – FortiOS 6

2 Replies

Best practices: Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails. This plan should provide you with an outline, similar to the following:

l what FortiGate activities you want and/or need logged (for example, security features) l the logging device best suited for your network structure l if you want or require archiving of log files l ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

  1. Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.
  2. Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.
  3. If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the Applications FortiView dashboard, or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.
  4. Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!