[FortiGate] Save and check firewall logs

Firewall (UTM)

Work environment

  • FortiGate-60E
    • version 7.2.1

Save firewall logs

FortiGate sets whether to save traffic logs for each firewall policy. The options are Security Events and All Sessions, with Security Events being the default.

For Security Events, normal traffic logs are not saved. It should be set to All Sessions to save normal traffic logs.

All Sessions saves a log of traffic allowed by that firewall policy.

Firewall policy edit screen

Save a log of denied traffic

To save a log of denied traffic, configure settings on the Edit Implicit Deny policy screen.

By default, the log retention setting for the Implicit Deny policy is disabled.

Check firewall logs

To check firewall logs, go to the [Log & Report > Forward Traffic] screen.

You can check the firewall log on a screen like the one below.

Follow the steps below to check firewall logs via CLI.

Firewall log display procedure
  1. execute log filter view-lines <5-1000>
    • Specify the number of log lines to display
  2. execute log filter category 0
    • Specify the log category to display
      • 0: traffic
  3. execute log display
    • View firewall logs
  4. execute log filter reset
    • Reset the filter settings of 1. to 2. above

FortiGate-60E # execute log display
97 logs found.
10 logs returned.

1: date=2022-09-30 time=20:48:53 eventtime=1664596132982997303 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55693 srcintf="dmz" srcintfrole="dmz" dstip=133.152.32.31 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Japan" sessionid=2864 proto=6 action="close" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTPS" trandisp="snat" transip=192.168.179.7 transport=55693 duration=376 sentbyte=3635 rcvdbyte=9427 sentpkt=17 rcvdpkt=47 appcat="unscanned" sentdelta=184 rcvddelta=1719

2: date=2022-09-30 time=20:47:54 eventtime=1664596074753005997 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55739 srcintf="dmz" srcintfrole="dmz" dstip=168.63.250.82 dstport=80 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Singapore" sessionid=3023 proto=6 action="close" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTP" trandisp="snat" transip=192.168.179.7 transport=55739 duration=241 sentbyte=2263 rcvdbyte=3030 sentpkt=6 rcvdpkt=23 appcat="unscanned"

3: date=2022-09-30 time=20:47:21 eventtime=1664596041254936906 tz="-0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55696 srcintf="dmz" srcintfrole="dmz" dstip=133.152.32.56 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Japan" sessionid=2868 proto=6 action="accept" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTPS" trandisp="snat" transip=192.168.179.7 transport=55696 duration=283 sentbyte=5176 rcvdbyte=66077 sentpkt=61 rcvdpkt=156 appcat="unscanned" sentdelta=0 rcvddelta=11046

...


Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

タイトルとURLをコピーしました