Chapter 20 – Managing a FortiSwitch with a FortiGate

Chapter 20 – Managing a FortiSwitch with a FortiGate

Managing a FortiSwitch with a FortiGate

Introduction

This document provides information about how to setup and configure Managed FortiSwitches with a FortiGate. This is also known as using FortiSwitch in Fortilink mode.

Supported Models

The following table shows the FortiSwitch models that support Fortilink mode when paired with the corresponding

FortiGate models and the listed minimum software releases.

FortiGate Models Earliest

FortiOS

FortiSwitch Models

FGT-90D 5.2.2 FS-224D-POE

FGT-60D FGT-90D

FGT-100D, FGT-140D (POE, T1)

FGT-200D, FGT-240D, FGT-280D (POE) FGT-600C

FGT-800C FGT-1000C 5.2.3 5.4.0

FSR-112D-POE FS-108D-POE FS-124D

FS-124D-POE FS-224D-POE FS-224D-FPOE

All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.

FGT-1200D FGT-1500D FGT-3700D FGT-3700DX 5.4.0

All FortiSwitch D-series models.

FortiSwitchOS 3.3.x or 3.4.0 is recom- mended.

What‘s New

The following new Fortilink features are available

FortiOS 5.4.0 with FortiSwitchOS 3.3.0 (or later)

FortiGate High-Availability mode
Multiple VLANs per port (native VLAN and tagged VLANs)
Auto-authorization of the FortiSwitch.
FortiLink GUI enabled for FGT600C, 800C and 1000C
POE configuration on the FortiSwitch ports.
Fortilink Link Aggregation Group (LAG)
Auto-detect Fortilink ports on the FortiSwitch.

Before You Begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch, and you have administrative access to the FortiSwitch web-based manager and CLI.
You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

How this Guide is Organized

This guide contains the following sections:

Connecting FortiLink Ports – information about connecting FortiSwitch ports to FortiGate ports.
FortiLink Configuration – how to configure FortiLink
Configuring Fortilink for FortiGate HA – how to configure Fortilink when you have a pair of FortiGate units in HA mode.
Optional Setup Tasks – describes other set up tasks.
VLAN Configuration – configure VLANs from the FortiGate unit.
FortiSwitch POE Configuration – configure Ports and POE from the FortiGate unit. Add STP and LAG?
Troubleshooting – describes techniques for troubleshooting common problems.
Scenarios – contains practical examples of how to use managed FortiSwitch units in a network.

Connecting FortiLink Ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

You have a choice of connecting a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG).

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

Summary of the Steps

1. If required,enable the Switch Controller on FortiGate

2. Connect a cable between the FortiSwitch port and the FortiGate port (or ports for a LAG)

Enable the Switch Controller on FortiGate

Prior to connecting the FortiSwitch and FortiGate units, ensure that the Switch Controller feature is enabled on the FortiGate (depending on the FortiGate model and software release, this feature may be enabled by default).

Use the FortiGate web-based manager or CLI to enable the Switch Controller.

Using the FortiGate web-based manager

1. Go to System > Features.

2. Turn on the Switch Controller feature.

3. Select Apply.

The menu option WiFi & Switch Controller now appears in the web-based manager.

Using the FortiGate CLI

Use the following command to enable the Switch Controller.

config system global

set switch-controller enable end

Connect the FortiSwitch and FortiGate

In FortiSwitchOS 3.3.0 and later releases, FortiSwitchOS provides additional flexibility for FortiLink:

Use any switch port for FortiLink
Provides auto-discovery of the FortiLink ports on the FortiSwitch
Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto–discovery of the FortiSwitch Ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable end

NOTE: Some ports are enabled for auto-discovery by default. See table below.

NOTE: Complete this configuration step BEFORE connecting the switch to the FortiGate.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

The table below lists the default auto-discovery ports for each switch model:

FortiSwitch Model Default Auto-FortiLink ports

FS-108D ports 9 and 10

FSR-112D ports 9, 10, 11 and 12

FS-224D-POE ports 21, 22, 23 and 24

FS-1024D, FS-1048D, FS-3032D all ports

FS-124D, FS-124D-POE ports 23, 24, 25 and 26

FS-224D-FPOE ports 25, 26, 27 and 28

FS-424D-FPOE ports 25 and 26

FS-524D-FPOE ports 25, 26, 27, 28, 29 and 30

FS-548D-FPOE ports 49, 50, 51, 52, 53 and 54

FS-248D-FPOE ports 49, 50, 51, and 52

FS-524D ports 25, 26, 27, 28, 29 and 30

FS-548D ports 49, 50, 51, 52, 53 and 54

Choosing the FortiGate Ports

For all FortiGate models, you can connect up to 16 FortiSwitches to one FortiGate unit. The FortiGate manages all of the switches through one active FortiLink. The FortiLink may consist of one port or multiple ports (for a LAG).

The following table shows the ports for each model of FortiGate that you can use for FortiLink.

FortiGate Model Ports for Fortilink connection

FGT-60D, FGT-60D-POE FWF-60D, FWF-60D-POE

FGT-90D, FGT-90D-POE FWF-90D, FWF-90D-POE port1 – port7 port1 – port14

FGT-100D port1 – port16

FGT-140D , 140D-POE, 140D-POE-T1 port1 – port36

FGT-200D port1 – port16

FGT-240D port1 – port40

FGT-280D, FGT-280D-POE port1 – port84

FGT-600C port3 – port22

FGT-800C port3 – port24

FGT-1000C port3 – port14, port23 – port24

FGT-1200D port1 – port36

FGT-1500D port1 – port40

FGT-3700D, FGT-3700DX port1 – port32

FortiLink Configuration

This section describes the configuration steps to establish a FortiLink between a FortiSwitch and a FortiGate unit. You can configure FortiLink using the FortiGate web-based manager (GUI) or the FortiGate CLI. We recommend using the FortiGate GUI, because the CLI steps are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with zero configuration steps on the FortiSwitch, and with a few simple configuration steps on the FortiGate.

Summary of the Steps

1. On the FortiGate, configure the FortLink port or create a FortLink LAG

2. Authorize the managed FortiSwitch.

Using FortiGate GUI to Configure FortiLink (Single Link)

The following sections describe how to configure FortiLink using a single switch port.

Configuring the Port

Configure the FortiLink port on the FortiGate using the following steps:

1. Go to System > Network > Interfaces

2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit the internal interface and remove the desired port from the Physical Interface Members.

3. Edit the FortiLink port.

4. Enter the following fields in the Edit Interface form:

a. Addressing mode: Set to Dedicate to Extension Device.

b. IP/Network Mask: system automatically sets the IP address and network mask.

c. (Optional) Automatically authorize devices: disable to manually authorize the FortiSwitch.

d. Select OK.

Authorizing the FortiSwitch

If you set the FortiLink port to manually authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.

2. (Optional)Click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Network Interface Display

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each switch on the right.

When the FortiLink is established successfully, the port status is green (on the FortiGate port and on the FortiSwitch faceplate) and the link between the ports is a solid line.

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

Using FortiGate GUI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).

Configuring the LAG on the FortiGate

1. Go to Network> Interfaces

2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface and remove the desired ports from the Physical Interface Members.

3. Click Create New

4. Enter the following fields in the Add Interface form:

a. Interface name: enter a name for the interface (11 characters maximum)

b. Type: select FortiLink

c. Physical Interface Members : select the FortiGate ports for the LAG

d. IP/Network Mask: system automatically sets the IP address and network mask.

e. Administrative Access: check the boxes for ping, capwap, http and https.

Authorizing the FortiSwitch

To authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch. Click on the switch faceplate and select Authorize.

2. From the FortiGate CLI, ensure that NTP is enabled for the FortiLink LAG:

config system ntp

set server-mode enable set interface fortilink

end

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each FortiSwitch on the right. The link between the FortiSwitch and FortiGate splits at each end to indicate which ports are members of the LAG.

Before the LAG becomes established, the FortiLink is displayed with dashed lines with a broken-link icon. When the FortiLink LAG is established successfully, the port status for the LAG ports is green (on the FortiGate port list and on the FortiSwitch faceplate), and the link between the ports is a solid line.

Network Interface Display

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

Using FortiGate CLI to Configure FortiLink (Single Link)

The following sections describe how to use the FortiGate CLI to configure FortiLink using a single link.

Configuring the Port and Authorizing the FortiSwitch

Configure the FortiLink port on the FortiGate, and authorize the FortiSwitch as a managed switch. In the following steps, port1 is configured as the FortiLink port.

1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan

config port delete port1

end end

end

2. Configure for port 1 as the FortiLink interface

config system interface edit port1

set auto-auth-extension-device enable set fortilink enable

end end

3. Configure an NTP server on port 1.

config system ntp

set server-mode enable set interface port1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

Using FortiGate CLI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Configuring the LAG on the FortiGate

To configure the FortiLink as a LAG, create a FortiLink interface on the FortiGate, add the physical ports, and authorize the FortiSwitch as a managed switch. In the following steps, port4 and port5 are configured as the FortiLink LAG.

1. If required, remove the LAG ports from the lan interface:

config system virtual-switch edit lan

config port

delete port4 port5 end

end end

2. Create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface

edit flink1 (enter a name, 11 characters maximum)

set allowaccess ping capwap https

set type fortilink

set member port4 port5 set lacp-mode static

next end

3. Configure an NTP server on the LAG interface:

config system ntp

set server-mode enable set interface flink1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

5. Configure a DHCP server on port 1.

config system dhcp server edit 0

set ntp-service local

set netmask 255.255.255.252 set interface flink1

config ip-range edit 1

set start-ip 169.254.254.2 set end-ip 169.254.254.2

end

set vci-match enable

set vci-string FortiSwitch end

end

Configuring FortiLink for FortiGate HA

With FortiOS 5.4.0 and later releases, a FortiGate operating in HA mode can use FortiLink (to FortiSwitches running FortiSwitchOS 3.3.0 or later release).

To use FortiLink mode with a pair of FortiGate units in a high-availability cluster, you must connect FortiLink from the switch to both of the FortiGate units.

Highlights of this configuration:

1. No console port or direct management is required on the FortiSwitch.

2. All the actions described here can be performed from FortiCloud if needed

3. All FortiSwitch internal state and counters are visible when in FortiLink managed mode

Example Topology

The LAN and WAN links connect to FortiSwitch ports. The FortiSwitch connects to the active and standby FortiGate units. If the standby FortiGate (for example, FGT2) becomes active, this is transparent to the LAN and WAN ports. FortiLink is automatically established to FGT2, and the active traffic path becomes LAN <-> FGT2<-> WAN.

Note the following points:

1. FortiSwitch connects with FortiLink to both of the FortiGate units. These connections can be LAGs (in FortiSwitch 3.3.0 and later releases).

2. LAN and WAN links can connect to separate FortiSwitches, as shown in the figure. You can also connect them to the same FortiSwitch (and use VLANs to separate the LAN and WAN traffic).

3. Connect the FortiLinks from any two FortiSwitch ports to FGT1 port X and FGT2 port X, where the FortiGate port numbers must match (port1 in the above topology diagram).

4. For FortiLink LAGs, connect Fortilinks from two additional FortiSwitch ports to FGT1 port Y and FGT2 port Y, where the FortiGate port numbers must match.

Adding a Second FortiGate to Existing Single FortiGate

Connect an additional FortiLink from the FortiSwitch to the new FortiGate, and configure HA on both of the FortiGate units.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2

Managing “bring your own device”

Leave a reply

Managing “bring your own device”

FortiOS can control network access for different types of personal mobile devices that your employees bring onto your premises. You can:

identify and monitor the types of devices connecting to your networks, wireless or wired
use MAC address based access control to allow or deny individual devices
create security policies that specify device types
enforce endpoint control on devices that can run FortiClient Endpoint Control software

This chapter contains the following sections: Device monitoring

Device Groups

Controlling access with a MAC Address Access Control List

Security policies for devices

Device monitoring

The FortiGate unit can monitor your networks and gather information about the devices operating on those networks. Collected information includes:

MAC address
IP address
operating system
hostname
user name
how long ago the device was detected and on which FortiGate interface

You can go to User & Device > Device List to view this information. Mouse-over the Device column for more details.

Depending on the information available, the Device column lists the Alias or the MAC address of the device. For ease in identifying devices, Fortinet recommends that you assign each device an Alias.

Device monitoring is enabled separately on each interface. Device detection is intended for devices directly connected to your LAN ports. If enabled on a WAN port, device detection may be unable to determine the operating system on some devices. Hosts whose device type cannot be determined passively can be found by enabling active scanning on the interface.

You can also manually add devices. This enables you to ensure that a device with multiple interfaces is displayed as a single device.

To configure device monitoring

1. Go to Network > Interfaces.

2. Edit the interface that you want to monitor devices on.

3. In Networked Devices, turn on Device Detection and optionally turn on Active Scanning.

4. Select OK.

5. Repeat steps 2 through 4 for each interface that will monitor devices.

To assign an alias to a detected device or change device information

1. Go to User & Device > Device List and edit the device entry.

2. Enter an Alias such as the user’s name to identify the device.

3. Change other information as needed.

4. Select OK.

To add a device manually

1. Go to User & Device > Custom Devices & Groups.

2. Select Create New > Device.

3. Enter the following information:

Alias (required)
MAC address
Additional MACs (other interfaces of this device)
Device Type
Optionally, add the device to Custom Groups.
Optionally, enter Comments.

3. Select OK.

Device Groups

You can specify multiple device types in a security policy. As an alternative, you can add multiple device types to a custom device group and include the group in the policy. This enables you to create a different policy for devices that you know than for devices in general.

To create a custom device group and add devices to it

1. Go to User & Device > Custom Devices & Groups.

The list of device groups is displayed.

2. Select Create New > Device Group.

3. Enter a Name for the new device group.

4. Click in the Members field and click a device type to add. Repeat to add other devices.

5. Select OK.

Controlling access with a MAC Address Access Control List

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

A MAC Address ACL functions as either

a list of devices to block, allowing all other devices or
a list of devices to allow, blocking all other devices

Allowed devices are assigned an IP address. The Assign IP action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to “other” unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC Address ACL to allow only specific devices

1. Go to the SSID or network interface configuration.

2. In the DHCP Server section, expand Advanced.

DHCP Server must be enabled.

3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.

4. In the IP or Action column, select one of:

Assign IP — device is assigned an IP address from the DHCP server address range.
Reserve IP — device is assigned the IP address that you specify.

5. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 2006 and “Controlling access with a MAC Address Access Control List” on page 2006 for each additional MAC address entry.

6. Set the Unknown MAC Address entry IP or Action to Block.

Devices not in the list will be blocked.

7. Select OK.

To create a MAC Address ACL to block specific devices

1. Go to the SSID or network interface configuration.

2. In the DHCP Server section, expand Advanced.

DHCP Server must be enabled.

3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.

4. In the IP or Action column, select Block.

5. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 2006 and “Controlling access with a MAC Address Access Control List” on page 2006 for each device that must be blocked.

6. Set the Unknown MAC Address entry IP or Action to Assign IP.

Devices not in the list will be assigned IP addresses.

7. Select OK.

Security policies for devices

Security policies enable you to implement policies according to device type. For example:

Gaming consoles cannot connect to the company network or the Internet.
Personal tablet and phone devices can connect to the Internet but not to company servers.
Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.

The following images show these policies implemented for WiFi to the company network and to the Internet.

Device policies for company laptop access to the company network

Device policies for WiFi access to the Internet

The next section explains device policy creation in detail.

Creating device policies

Device-based security policies are similar to policies based on user identity:

The policy enables traffic to flow from one network interface to another.
NAT can be enabled.
UTM protection can be applied.

To create a device policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.

3. In Source, select an address and the device types that can use this policy.

You can select multiple devices or device groups.

4. Turn on NAT if appropriate.

5. Configure Security Profiles as you would for any security policy.

6. Select OK.

Adding endpoint protection

Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see “Endpoint Protection”.

To add endpoint protection to a security policy

1. Go to Network > Interfaces and edit the interface.

2. In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.

3. Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.

4. Optionally, select destination addresses and services to exempt from FortiClient enforcement.

5. Select OK.

FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.

Chapter 19 – Managing Devices

Leave a reply

Chapter 19 – Managing Devices

What’s New in FortiOS 5.4

Managing “bring your own device” Device monitoring

Device Groups

Controlling access with a MAC Address Access Control List

Security policies for devices

This handbook chapter contains the following sections:

Managing “bring your own device” describes device monitoring, devices, device groups, and device policies. The administrator can monitor all types of devices and control their access to network resources.

What‘s New in FortiOS 5.4

802.1x Mac Authentication Bypass (197218)

Some FortiGate models contain a hardware switch. On the hardware switch interface, 802.1X authentication is available. You might want to bypass 802.1X authentication for devices such as printers that cannot authenticate, identifying them by their MAC address.

In the CLI, enable MAC authentication bypass on the interface:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end

The devices that bypass authentication have entries in the RADIUS database with their MAC address in the User- Name and User-Password attributes instead of user credentials.

Vulnerability Scan status change(293156)

The FortiGate will no longer function as a vulnerability scanner, even in CLI mode. Vulnerability scans / assessments will handled by the FortiClient software.

FortiFone devices are now identified by FortiOS (289921)

FortiFone devices are now identified by FortiOS as Fortinet FON.

Support for MAC Authentication Bypass (MAB) (197218)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end end

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid”

set security wpa2-only-enterprise set auth usergroup

set usergroup “staff”

set radius-mac-auth enable

set radius-mac-auth-server “ourRadius” end

end

Active device identification (279278)

Hosts whose device type cannot be determined passively are actively scanned using the same techniques as the vulnerability scan. This active scanning is enabled by default on models that support vulnerability scanning. You can turn off Active Scanning on any interface. In the GUI, go to the interface’s page in Network > Interfaces.

CLI Syntax:

config system interface edit port1

set device-identification enable

set device-identification-active-scan disable end

Device Page Improvements (Detected and custom devices) (280271)

Devices are now in two lists on the User & Device menu. Detected devices are listed in the Device List where you can list them alphabetically, by type, or by interface. On the Custom Devices and Groups page you can

create custom device groups
predefine a device, assigning its device type and adding it to custom device groups

Device offline timeout is adjustable (269104)

A device is considered offline if it has not sent any packets during the timeout period. Prior to FortiOS 5.4, the timeout value was fixed at 90 seconds. Now the timeout can be set to any value from 30 to 31 536 000 seconds (365 days). The default value is 300 seconds (5 minutes). The timer is in the CLI:

config system global

set device-idle-timeout 300 end

Improved detection of FortiOS-VM devices (272929)

A FortiGate-VM device is an instance of FortiOS running on a virtual machine (VM). The host computer does not have the Fortinet MAC addresses usually used to detect FortiGate units. Device detection now has two additional ways to detect FortiGate-VMs:

the FortiGate vendor ID in FortiOS IKE messages
the FortiGate device ID in FortiGuard web filter and spamfilter requests

Custom avatars for custom devices (299795)

You can upload an avatar for a custom device. The avatar is then displayed in the GUI wherever the device is listed, such as FortiView, log viewer, or policy configuration. To upload an avatar image,click Upload Image on the New Device or Edit Device page of User & Device > Custom Devices & Groups. The image can be in any format your browser supports and will be automatically sized to 36 x 36 pixels for use in the FortiGate GUI.

Troubleshooting and logging

Leave a reply

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.

3. In the filter options, enable Packet Logging.

4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

1. Log in to the CLI.

2. Enter the following to start configuring additional settings:

config ips settings

set ips-packet-quota <integer>

set packet-log-history <integer>

set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member”

OR type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.

2. Use execute ping to see if you can ping to the log device.

3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near… (local/PostgreSQL)

Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

MySQL is running and using the default port 3306.
You have created an empty database and a user who has read/write permissions for the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

1. #Mysql –u root –p

2. mysql> Create database fazlogs;

3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;

4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

select Cancel and back up all log files; then select Rebuild to blank and rebuild the database.
select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

config system global

set miglogd-children <integer>

end

Advanced logging

Leave a reply

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

The following topics are included in this section:

Configuring logging to multiple Syslog servers
Using Automatic Discovery to connect to a FortiAnalyzer unit
Activating a FortiCloud account for logging purposes
Viewing log storage space
Customizing and filtering log messages
Viewing logs from the CLI
Configuring NAC quarantine logging
Logging local-in policies
Tracking specific search phrases in reports
Reverting modified report settings to default settings

Configuring logging to multiple Syslog servers

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM.

To enable logging to multiple Syslog servers

1. Log in to the CLI.

2. Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

3. Enter the following commands to configure the second Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

4. Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set traffic {enable | disable}

set web {enable | disable}

set url-filter {enable | disable}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

1. Log in to the CLI.

2. Enter the following command syntax:

config log fortianalyzer setting set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in System > Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at System > Dashboard and that you have located the License Information widget.

1. In the License Information widget, select Activate in the FortiCloud section.

The Registration window appears. From this window, you create the login credentials that you will use to access the account.

2. Select Create Account and enter then information for the login credentials.

After entering the login credentials, you are automatically logged in to your FortiCloud account.

3. Check that the account has been activated by viewing the account status from the License Information widget. If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom “root”: 30MB/22583MB

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Traffic Log > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right- click menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

OS Name
OS Version
Policy ID
Src (Source IP)

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Traffic Log > Forward Traffic.

1. On the Forward Traffic page, right click anywhere on a column title.

2. Right click on a column title, and mouse over Column Settings to open the list.

3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.

4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.

5. Click outside the menu, and wait for the page to refresh with the new settings in place.

6. Select the funnel icon next to the word Src in the title bar of the Src column.

7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.

8. Click Apply, and wait for the page to reload.

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.

execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.

2. Enter the following to view the log messages:

execute log display

The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

Configuring NAC quarantine logging

NAC quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

To configure NAC quarantine logging

1. Go to Policy & Objects > Policy > IPv4.

2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.

3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.

4. Select OK.

5. Log in to the CLI.

6. Enter the following to enable NAC quarantine in the DLP sensor:

config antivirus profile edit <profile_name>

config nac-quar log enable end

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable end

The Local-In Policy page will then be available in Policy & Objects > Policy > Local In. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Config > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity Traffic Direction Description

FortiGuard update annouce- ments

FortiGuard update requests

IN All push announcements of updates that are coming from the

FortiGuard system. For example, IPS or AV updates.

OUT All updates that are checking for antivirus or IPS as well as other

FortiGuard service updates.

Firewall authen- tication

IN The authentication made using either the web-based manager or CLI.

Traffic activity Traffic Direction Description

Central man- agement (a FortiGate unit being managed by a FortiMan- ager unit)

IN The access that a FortiManager has managing the FortiGate unit.

DNS IN All DNS traffic.

DHCP/DHCP Relay

IN All DHCP and/or DHCP Relay traffic.

HA (heart beat sync policy)

IN/OUT For high-end platforms with a backplane heart beat port.

HA (Session sync policy)

IN/OUT

This will get information from the CMDB and updated by sessi sync daemon.

CAPWAP

This activity is logged only when a HAVE_CAPWAP is defined.

Radius

This is recorded only within FortiCarrier.

NETBIOS forward

Any interface that NETBIOS forward is enabled on.

RIP

OSPF

VRRP

BFD

IGMP

This is recorded only when PIM is enabled.

PIM

This is recorded only when PIM is enabled.

BGP

This is recorded only when config bgp and bgp neightbor is enabled in the CLI.

WCCP policy

Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.

WAN Opt/ Web

Cache

IN Any interface where WAN Opt is enabled.

WANOpt Tunnel IN This is recorded when HAVE_WANOPT is defined.

Traffic activity

Traffic Direction

Description

SSL–VPN

Any interface from a zone where the action in the policy is SSL VPN.

IPSEC

L2TP

PPTP

VPD

This is recorded only when FortiClient is enabled.

Web cache db test facility

This is recorded only when WA_CS_REMOTE_TEST is defined.

GDBserver

This is recorded only when debug is enabled.

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

1. Log in to the CLI and enter show webfilter profile default.

This provides details about the webfilter profile being used by the security policy. In this example, the details

(shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default config webfilter profile

edit “default”

set comment “default web filtering” set inspection-mode flow-based

set options https-scan set post-action comfort

config web

set safe-search url end

config ftgd-wf config filters

edit 1

set action block set category 2

next edit 2

set action block set category 7

next edit 3

set action block set category 8

2. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.

config webfilter profile edit default

config web

set log-search enable

set keyword-match “fortinet” “easter” “easter bunny” end

end

3. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.

You can tell that the test works by going to Log & Report > Traffic Log > Forward Traffic and viewing the log messages.

Reverting modified report settings to default settings

If you need to go back to the original default report settings, you can easily revert to those settings in the Report menu. Reverting to default settings means that your previously modified report settings will be lost.

To revert back to default report settings, in Log & Report > Report > Local, select Customize, and then Restore Defaults from the top navigation. This may take a minute or two. You can also use the CLI command execute report-config reset to reset the report to defaults.

If you are having problems with report content being outdated or incorrect, especially after a firmware update, you can recreate the report database using your current log information with the CLI command execute report recreate-db.

Logging and reporting for large networks

Leave a reply

Logging and reporting for large networks

This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology.

Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

Modifying multiple FortiGate units’ system memory default settings

When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap enable

set multicast-traffic enable set scanerror enable

set app-ctrl enable end

4. Repeat steps 2 and 3 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Modifying multiple FortiGate units’ hard disk default log settings

You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage Internal

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

4. Repeat the steps 2 to 4 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Testing the modified log settings

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning

generating an IPS log message generating an anomaly log message

generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification

generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

Configuring logging to multiple FortiAnalyzer units

The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

To configure multiple FortiAnalyzer units

1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

config log fortianalyzer setting set status enable

set server 172.20.120.22 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

2. Disable the features that you do not want logged, using the following example command syntax. You can view the

CLI Reference to see what commands are available.

config log fortianalyzer filter set traffic (enable | disable)

… end

3. Enter the following commands for the second FortiAnalyzer unit:

config log fortianalyzer2 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

4. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter set web (enable | disable)

… end

5. Enter the following commands for the last FortiAnalyzer unit:

config log fortianalyzer3 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

6. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter

set web-filter (enable | disable)

… end

7. Test the configuration by using the procedure, “Testing the modified log settings”.

8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

Configuring logging to the FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. Below is a sample configuration with multiple examples of significant customizations that you can make to tailor reports for larger networks.

Creating datasets

You need to create a new dataset for gathering information about HA, admin activity and configuration changes.

Creating datasets requires SQL knowledge.

To create the datasets

1. Log in to the CLI.

2. Enter the following command syntax:

config report dataset edit ha

set query “select subtype_ha count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_ha order by totalnum desc”

3. Create a dataset for the admin activity, that includes log ins and log outs from the three FortiGate administrators.

set query “select subtype_admin count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

admin order by totalnum desc”

4. Create a dataset for the configuration changes that the administrators did for the past 24 hours.

set query “select subtype_config count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

config order by totalnum desc”

end

Creating charts for the datasets

1. Log in to the CLI.

2. Enter the following to create a new chart:

config report chart edit ha.24h

set type table

set period last24h set dataset ha

set category event set favorite no

set style auto

set title “24 Hour HA Admin Activity”

end

Uploading the corporate images

You need to upload the corporate images so that they appear on the report’s pages, as well as on the cover page. Uploading images is only available in the web-based manager.

To upload corporate images

1. Go to Log & Report > Report > Local.

2. Select the Image icon and drag it to a place on the page.

3. The Graphic Chooser window appears.

4. Select Upload and then locate the image that you want to upload and upload the image.

The images are automatically uploaded and saved.

5. Repeat step 4 until the other corporate images are uploaded.

6. Select Cancel to close the Graphic Chooser window and return to the page.

The images can then be placed as you like by reopening the Graphic Chooser as in step 2.

Adding a new report cover and page

You need to add a new cover for the report, as well as a new page that will display the HA activity, admin activity and configuration changes.

To add and customize a new report cover

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. In Sections, select the current default report section, and enter Report Cover in the field that appears; then press Enter to save the change.

4. Remove all content from the Report Cover section, and select the image icon and drag it into the main portion of the cover page; select a cover page image and then select OK.

5. Select the font size you want, and drag the text icon into the area beneath the image to add a title or explanation for the cover page.

6. Select Save to save the new report cover.

To add and customize a new page

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. Select Sections, and select Create New to add a new section to the report. Name it Report Content, and press Enter, and OK to close the menu.

4. At the bottom of the editing window is the Section selection, where each Section is represented by a box. Select the second box.

5. Edit the content for the report as you like.

For a simpler report structure, make use of the ‘FortiGate UTM Security Analysis Report’ charts, which automatically format themselves and fill in all necessary information.

For more complex reports, add headings, default and custom charts, and explanatory text.

6. Select Save to save the new report content.

The report will automatically combine all sections. You can use headers and text to more clearly separate parts of the report, and all properly configured charts have titles built-in.

Logging and reporting for small networks

2 Replies

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. The following example command syntax modifies which FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap disable set multicast-traffic enable set scanerror enable

set app-ctrl enable end

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage FLASH

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating an IPS log message generating an anomaly log message

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification generating a HA event message with level – warning

generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

Configuring logging to a FortiCloud server

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

To upload logs to a FortiAnalyzer unit

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.

3. Select FortiAnalyzer (Daily at 00:00).

4. Enter the FortiAnalyzer unit’s IP address in the IP Address field.

5. To configure the daily upload time, open the CLI.

6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

config log fortianalyzer setting

set upload-interval {daily | weekly | monthly}

set upload-time <hh:mm>

end

7. To change the upload time, in the web-based manager, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

To test the FortiAnalyzer upload settings

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change.

For example, the current time is 11:10 am, so Change now has the time 11:10.

3. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the

FortiAnalyzer’s interface.

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. The following is an example of how to modify the default FortiOS report.

To modify the default FortiOS report

1. In the web-based manager, go to Log & Report > Report > Local.

2. Select Customize to open the Report Editor.

3. Change the default Fortinet image to the new image: select the Fortinet image and right-click so that Delete icon appears, and then select Delete; drag the Image icon to the box where the Fortinet image was previous; choose or upload a new image and then select OK.

4. Return to Log & Report > Report > Local.

5. Under Report Options, set the Generate report schedule to Daily and set a Time for the report to be compiled every day.

6. Enable Email Generated Reports. You may have to configure an SMTP server to send the reports before this option can be enabled. The SMTP configuration can be found in System > Config > Messaging Servers.

7. Select Apply to save the changes.

8. Select Run Now to generate a new On Demand report based on your changes.

9. Select the report from the Historical Reports list to view it.

Running On Demand reports can be a good way to compare report modifications as you configure.

Best Practices: Log management

Leave a reply

Best Practices: Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

what FortiGate activities you want and/or need logged (for example, security features)
the logging device best suited for your network structure
if you want or require archiving of log files
ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

1. Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.

2. Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.

3. If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the Applications FortiView dashboard, or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.

4. Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.