• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 Fortinet  Logging and Monitoring
 

Fortinet Logging and Monitoring

on

  • 4,651 views

201 Class-FCNSA

201 Class-FCNSA

"single like" make up-loader to upload more stuffs to share .... so if u see like button pls click :)

Statistics

Views

Total Views
4,651
Views on SlideShare
4,651
Embed Views
0

Actions

Likes
0
Downloads
150
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

     Fortinet  Logging and Monitoring Fortinet Logging and Monitoring Document Transcript

    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Module 2 1 © 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C Module Objectives • By the end of this module participants will be able to: » Define the storage location for log information » Enable logging for different FortiGate unit events » View and search logs » Monitor log activity » Understand RAW log output » Customize widgets on the dashboard 2 01-50000-0201-20130215-C Logging and Monitoring
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Logging and Monitoring • Logging and monitoring are key elements in maintaining devices on the network » Monitor network and Internet traffic » Track down and pinpoint problems » Establish baselines 3 Logging Severity Levels • Administrators define the severity level at which the FortiGate unit records log information • All messages at, or above, the minimum severity level will be logged » Emergency = System unstable » Alert = Immediate action required » Critical = Functionality affected » Error = Error exists that can affect functionality » Warning = Functionality could be affected » Notification = Info about normal events » Information = General system information (default) » Debug = Debug log messages 4 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Log Storage Locations Memory and Hard drive Syslog SNMP Local logging Remote logging 5 Log Types and Subtypes • Traffic Log » Forward (Traffic passed/blocked by Firewall policies) » Local (Traffic aimed directly at, or created by FortiGate device) » Invalid (Packets considered invalid/malformed and dropped) • Event Log » System (System related events) » Router, VPN, User, WanOpt & Cache, Wifi • UTM Security Log » Antivirus, Web Filter, Intrusion Protection, etc. 6 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Log Structure and Behavior • Options for log behavior: » UTM consolidated into Forward Traffic log » UTM separated into individual logs • utm-incident-traffic-log config sys global set utm-incident-traffic-log [enable|disable] end » If log allowed traffic is disabled on the policy, then a UTM event enabled traffic logging for that session » Behavior is not configurable and only on, pre 5.0 • Logs consolidated into Traffic Log is recommend for performance » Multiple individual log files are harder on CPU then one 7 Traffic Log – Log Generation Log Traffic utm-incidenttraffic-log Disabled (traffic does not go to UTM) N/A N/A Enabled Enabled (traffic goes to UTM) Disabled Either UTM Events generate logs in traffic log All traffic through policy generates traffic log Disabled Enabled (traffic goes to UTM) Disabled Enabled UTM Events generate logs in traffic log Only traffic that has a UTM even occur generates traffic logs Disabled Enabled (traffic goes to UTM) Disabled Disabled Only UTM events generates logs in the traffic log (no other traffic logs) Disabled 01-50000-0201-20130215-C Extended-utm Enabled 8 UTM Function Enabled (traffic goes to UTM) Enabled Enabled UTM Events generate logs in utm log Only traffic that has a UTM even occur generates traffic logs Behavior Traffic log generated by kernel (like today). All new UTM fields empty.
    • Course 201 - Administration, Content Inspection and VPNs Viewing Log Messages 9 Log Viewer Filtering • Use Filter Settings to customize the display of log messages to show specific information in log messages » Reduce the number of log entries that are displayed » Easily locate specific information 10 01-50000-0201-20130215-C Logging and Monitoring
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Log Severity Level • Log severity level indicated in the level field of the log message date=2012-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)" information = normal event 11 Viewing Log Messages (Raw) • Fields in each log message are arranged into two groups: » Log header (common to all log messages) date=2012-11-13 time=11:17:56 logid=0000000009 type=traffic subtype=forward level=notice vd=root » Log body (varies per log entry type) srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 12 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Viewing Log Messages (Raw) » Log header date=2012-08-30 time=12:55:06 log_id=32001 type=utm subtype=dlp eventtype=dlp level=warning vd=“root” filteridx=0 » Log body policyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0 user="user" group="group" srcip=1.1.1.1 srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1" service=mm1 ……. The type and subtype fields = log file that message is recorded in (for example, UTM > Data Leak Prevention or Traffic > Forward Traffic) 13 Viewing Log Messages (Raw) » Log body srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 hostname="host" url="www.abcd.com" msg="Data Leak Prevention Testing Message" action=block severity=0 infection="carrier end point filter" policyid = id number of firewall policy matching the session 14 01-50000-0201-20130215-C Logging and Monitoring
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Viewing Log Messages (Raw) » Log body srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0 dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0 status=deny user="test user" group="test group" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name" shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009 shaperperipname="perip name" shaperperipdropbyte=16843009 devtype="iPad" osname="linux" osversion="ver" unauthuser="user" unauthusersource="none" collectedemail="mail" mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01 status = action taken by the FortiGate unit 15 Alert Email • Send notification to email address upon detection of defined event • Identify SMTP server name • Configure at least one DNS server • Up to three recipients per mail server 16 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring SNMP SNMP agent Managed device Fortinet MIB SNMP manager • Traps received by agent sent to SNMP manager • Configure FortiGate unit interface for SNMP access • Compile and load Fortinet-supplied MIBs into SNMP manager • Create SNMP communities to allow connection from FortiGate unit to SNMP manager 17 Event Logging 18 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Event Log 19 Monitor 20 01-50000-0201-20130215-C Logging and Monitoring
    • Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring Monitor • Monitor sub-menus found in GUI for all main function menus • User-friendly display of monitored information • View activity of a specific feature being monitored such as Firewall, VPN, Router, Wi-Fi, etc. • UTM monitoring can be enabled via System > Admin > Settings 21 Monitor • Example: UTM Security Profiles Monitor » Includes all UTM features • AV Monitor » Recent and top virus activity • Web Monitor » Top blocked FortiGuard categories • Application Monitor » Most used applications •… 22 01-50000-0201-20130215-C
    • Course 201 - Administration, Content Inspection and VPNs Status Page – Custom Widgets • Many widgets can have their settings altered to display different information » The same widget can be added multiple times to the same dashboard showing different information 23 Labs • Lab 1: Status Monitor and Event Log » Ex 1: Exploring the GUI Status Monitor » Ex 2: Event Log and Logging Options (OPTIONAL) • Lab 2: Remote Monitoring » Ex 1: Remote Syslog and SNMP Monitoring 24 01-50000-0201-20130215-C Logging and Monitoring
    • Course 201 - Administration, Content Inspection and VPNs Classroom Lab Topology 25 01-50000-0201-20130215-C Logging and Monitoring