how do I configure/view Fortigate logging

Dave Messman
Dave Messman used Ask the Experts™
on
This question is really as easy as it sounds.  I have a Fortigate 50B that I use for a small network of about 30 users.  The router sits at the edge with a public IP address.  I forward a bunch of ports (25, 443, 1723, etc) to a server that sits on the LAN.  

I've been receiving some attacks on my server, and I'd like to look at the Fortigate logs to see where it's coming from.  But where are the logs?  I'm on 3.0 software MR5 patch 3.

If I go to log and report -> log access, it says "please configure your fortianalyzer."

I have no idea what to do from there.
fortigate.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Couple of options here...

1. For active attacks, you can enable "Log Allowed Traffic" in the specific firewall rules allowing inbound connection to the mentioned servers and then take a look on the action connections from System>Status>Statistics>Details and then by filtering out on the 'Policy ID'

2. Other option is to configure Email alerts for all required events under 'Log Config' in "Alert Email" n "Event Log"

3. Incase there's a separate box as 'FortiAnalyzer' it can be used to collect logs and provide more meaningful reports/alerts in customized way.

4. Also, the license available can help avoid such attacks which can be seen under System>Status>License Information


HTH!
Dave MessmanIT Consultant

Author

Commented:
Let's back up and get more simple.

Let's take my real world situation.  I was being attacked over port 25.  My Windows server wasn't able to tell me where the attack was coming from.  What I wanted to do was look at firewall logs to see traffic over port 25.

Without a Fortianalyzer, how would I do that?  
1. There would be a rule to allow port 25 from external to DMZ rule, we can enable logging in this rule and see all the active connections from System>Status>Statistics>Details and then by filtering out on the 'Policy ID'.

2. We can also check in System > Status. In the Attack Log section, select Details for AV

3. Attack log

The Attack Log records attacks detected and prevented by the FortiGate unit. The FortiGate unit logs the following:

Attack Signature
      
The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit.
Attack Anomaly
      
The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.

To enable the attack logs

   1. Go to Firewall > Protection Profile.
   2. Select edit for a protection profile.
   3. Select the blue arrow to expand the Logging options.
   4. Select Log Intrusions

Pls suggest if this helps.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Dave MessmanIT Consultant

Author

Commented:
question isn't abandoned.  Just been super busy - need to get in and test these options.
Dave MessmanIT Consultant

Author

Commented:
I don't purchase updated attack definitions from Fortigate.  What I'm hoping to see all connections whatsoever - whether they are attempted hacks or not.

So let's ignore the virus and attack aspects of the search as I can't count on them since I don't get updated definitions.  

Is there a way to just view all traffic that use a certain firewall rule?  

I use virtual IPs to do all port forwarding from the external/public IP to the LAN IP.

Here are screen shots of what I have tried so far.
logconfig.jpg
logmemory.jpg
Surely u can

"1. For active attacks, you can enable "Log Allowed Traffic" in the specific firewall rules allowing inbound connection to the mentioned servers and then take a look on the action connections from System>Status>Statistics>Details and then by filtering out on the 'Policy ID'"

Pls advice if this helps...

Commented:
1. You can use configure traffic traffic logs, you can check the 'log allowed traffic'  option in the rules.
2. For other logs like webfilter, emailfilter, attacks, AV,etc you will g into protection profiles and check the corresponding logging options.
3. You can also also configure a syslog server to send the logs as syslog events.
4. Use FortiAnalyser....which a seperate box to analyse logs of Fortigate firewall and other Fortinet products.
Dave MessmanIT Consultant

Author

Commented:
satyasingh's advice for active attacks is very helpful.  I hadn't seen that before.  I will use that in the future.  You'll get some points when the question is closed.

I'm still having some trouble getting the logs to show.

I have a virtual IP created.  I have a firewall rule created for that virtual IP and I enabled logged on that firewall rule (see images) and I enabled logging.  What am I missing?


virtual-IP.jpg
Dave MessmanIT Consultant

Author

Commented:
Thanks, did you try looking into System>Status>Statistics>Details and then by filtering out on the 'Policy ID' / Destination network IP address.." for all active sessions.


Dave MessmanIT Consultant

Author

Commented:
yes, that's helpful - but any thoughts on how to configure the logging for more historical data?  

From the last image I posted, I'm on the memory tab and in the "event log" log type.  Should I be in the "event log" log type on the memory tab?  None of the other log types show any historical data.
There are two ways to do this...

1. (I'd suggest) - configure a syslog server and have the firewall throw all logs on to the syslog for review.
Log&Report>Log Config>Log Setting>Syslog

2. additionally, configure all loggs to be sent on a email address.
This seems to do its job well, though the very purpose gets diluted after a while as 99% error messages are not interesting and are false positives.
Log&Report>Log Config>Alert Email (Define "Send alert email for the following")

HTH!
Dave MessmanIT Consultant

Author

Commented:
this is very helpful.  Can you provide a quick link to the means of creating a syslog server?  Is that a universal concept or proprietary to Fortigate?
You can configure Syslog on any windows machine from http://www.solarwinds.com/top5_tools/ website and install
Once done, go to Firewall, Log&Report>Log Config>Log Setting>Syslog and configure the machine IP to throw logs to this server

This concept is universal and used all across.
Dave MessmanIT Consultant

Author

Commented:
this was extremely helpful.  I'll set up a Syslog server as recommended.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial