Work environment
- FortiGate-60E
- version 7.2.1
Save firewall logs
FortiGate sets whether to save traffic logs for each firewall policy. The options are Security Events and All Sessions, with Security Events being the default.
For Security Events, normal traffic logs are not saved. It should be set to All Sessions to save normal traffic logs.
All Sessions saves a log of traffic allowed by that firewall policy.
Save a log of denied traffic
To save a log of denied traffic, configure settings on the Edit Implicit Deny policy screen.
By default, the log retention setting for the Implicit Deny policy is disabled.
Check firewall logs
To check firewall logs, go to the [Log & Report > Forward Traffic] screen.
You can check the firewall log on a screen like the one below.
Follow the steps below to check firewall logs via CLI.
Firewall log display procedure
execute log filter view-lines <5-1000>- Specify the number of log lines to display
execute log filter category 0- Specify the log category to display
- 0: traffic
- Specify the log category to display
execute log display- View firewall logs
execute log filter reset- Reset the filter settings of 1. to 2. above
FortiGate-60E # execute log display
97 logs found.
10 logs returned.
1: date=2022-09-30 time=20:48:53 eventtime=1664596132982997303 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55693 srcintf="dmz" srcintfrole="dmz" dstip=133.152.32.31 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Japan" sessionid=2864 proto=6 action="close" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTPS" trandisp="snat" transip=192.168.179.7 transport=55693 duration=376 sentbyte=3635 rcvdbyte=9427 sentpkt=17 rcvdpkt=47 appcat="unscanned" sentdelta=184 rcvddelta=1719
2: date=2022-09-30 time=20:47:54 eventtime=1664596074753005997 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55739 srcintf="dmz" srcintfrole="dmz" dstip=168.63.250.82 dstport=80 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Singapore" sessionid=3023 proto=6 action="close" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTP" trandisp="snat" transip=192.168.179.7 transport=55739 duration=241 sentbyte=2263 rcvdbyte=3030 sentpkt=6 rcvdpkt=23 appcat="unscanned"
3: date=2022-09-30 time=20:47:21 eventtime=1664596041254936906 tz="-0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 srcport=55696 srcintf="dmz" srcintfrole="dmz" dstip=133.152.32.56 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstcountry="Japan" sessionid=2868 proto=6 action="accept" policyid=1 policytype="policy" poluuid="c67d2f46-4139-51ed-e4cc-cff112e950cc" policyname="dmz_to_wan1" service="HTTPS" trandisp="snat" transip=192.168.179.7 transport=55696 duration=283 sentbyte=5176 rcvdbyte=66077 sentpkt=61 rcvdpkt=156 appcat="unscanned" sentdelta=0 rcvddelta=11046
...
Comments