Fortigate
LogZilla App Store application: Fortigate
Overview
Fortigate is a line of firewall devices produced by Fortinet. FortiGate Next Generation Firewalls enable security-driven networking and consolidate industry-leading security capabilities such as intrusion prevention system (IPS), web filtering, secure sockets layer (SSL) inspection, and automated threat protection.
App Function
The Fortigate app performs the following functions:
- Normalize incoming event data
- Set various user tags
- Reformat the event message using all the key/value pairs present in the original message
Fortigate Configuration
To send logs to LogZilla, configure the Fortigate device with the following steps:
Step 1: Access Log Settings
- Log into the Fortigate web interface
- Navigate to Log & Report in the left sidebar
- Click Log Settings
Step 2: Configure Remote Logging
- In the Remote Logging and Archiving section:
- Toggle Send logs to syslog to Enabled
- Enter the LogZilla server IP address or FQDN in the IP Address/FQDN field
- Leave the default syslog port (514) unless LogZilla is configured differently
Step 3: Enable Local Traffic Log
Critical: The Local Traffic Log must be enabled for the Fortigate app to function properly.
- In the Log Settings section:
- Set Local Traffic Log to All (recommended) or Customize based on requirements
- Set Event Logging to All or Customize as needed
Step 4: Configure UUIDs in Traffic Log (Optional)
For enhanced log correlation:
- In the UUIDs in Traffic Log section:
- Enable Policy to include policy UUIDs in logs
- Enable Address to include address object UUIDs in logs
Step 5: Apply Configuration
- Click Apply to save the configuration
- Verify logs are being sent to LogZilla by checking the LogZilla interface
Verification
To verify the configuration is working:
- Generate some network traffic through the Fortigate
- Check the LogZilla interface for incoming Fortigate events
- Verify that user tags are being populated correctly
Note: It may take a few minutes for logs to appear in LogZilla after configuration changes.
Vendor Documentation
- Fortigate Next-Generation Firewall (NGFW)
- Types of logs collected for each device
- Fortinet Document Library - Log and Report
- Sample logs by log type
- Log Message Fields
- Parsing Fortigate logs and other syslog-ng 3.31 news
Log Source Details
| Item | Value |
|---|---|
| Vendor | Fortinet |
| Device Type | Fortigate firewalls |
| Collection Method | Syslog |
| Configurable Log Output? | no |
| Exceptions | N/A |
Logs can be generated by the following functions:
- Traffic
- Security: Antivirus
- Security: Intrusion Prevention
- Security: Application Control
- Security: Web Filter
- Security: DNS
- Security: Data Leak Prevention
- Security: Email Filter
- Security: Web Application Firewall
- Security: Vulnerability Scan
- Security: VoIP
- Security: FortiClient
- Event: Endpoint
- Event: HA
- Event: Compliance
- Event: System
- Event: Router
- Event: VPN
- Event: User
- Event: WAN Opt
- Event: Cache
- Event: WiFi
Incoming Log Format
Fortigate log messages consist of key/value pairs, with each key/value
separated by = and each pair separated by spaces. Keys are not enclosed in
quotes, but some values are quoted when they contain spaces or special
characters. Log messages are generated for many different event types, and each
event type produces distinct keys. Some keys are common across different event
types, while others are unique to specific event types.
Parsed Metadata Fields
The following fields (keys) are tagged. The user tag name matches the field key name.
| Removed | Tagged | Field | Tag Name | Example |
|---|---|---|---|---|
| ☑ | date | 2019-05-13 | ||
| ☑ | time | 11:45:03 | ||
| ☑ | eventtime | 1557513467369913239 | ||
| ☑ | logtime | 1557513467369913239 | ||
| ☑ | action | action | close | |
| ☑ | addr | addr | (n/a) | |
| ☑ | agent | agent | curl/7.47.0 | |
| ☑ | alert | alert | (n/a) | |
| ☑ | analyticssubmit | analyticssubmit | false | |
| ☑ | app | app | HTTP.BROWSER_Firefox | |
| ☑ | appcat | appcat | Web.Client | |
| ☑ | appid | appid | 40568 | |
| ☑ | applist | applist | g-default | |
| ☑ | apprisk | apprisk | elevated | |
| ☑ | apscan | apscan | (n/a) | |
| ☑ | attack | attack | (n/a) | |
| ☑ | auditscore | auditscore | (n/a) | |
| ☑ | authproto | authproto | TELNET(10.1.100.11) | |
| ☑ | catdesc | catdesc | Malicious Websites | |
| ☑ | cfgobj | cfgobj | (n/a) | |
| ☑ | channeltype | channeltype | shell | |
| ☑ | connection_type | connection_type | (n/a) | |
| ☑ | countapp | countapp | 1 | |
| ☑ | crlevel | crlevel | critical | |
| ☑ | desc | desc | (n/a) | |
| ☑ | detectionmethod | detectionmethod | (n/a) | |
| ☑ | devid | devid | FGVM02Q105060010 | |
| ☑ | devtype | devtype | Linux PC | |
| ☑ | dir | dir | (n/a) | |
| ☑ | direction | direction | incoming | |
| ☑ | dlpextra | dlpextra | (n/a) | |
| ☑ | dstcountry | dstcountry | Canada | |
| ☑ | dstintf | dstintf | port11 | |
| ☑ | dstintfrole | dstintfrole | undefined | |
| ☑ | dtype | dtype | Virus | |
| ☑ | encryption | encryption | (n/a) | |
| ☑ | eventtype | eventtype | infected | |
| ☑ | filtercat | filtercat | (n/a) | |
| ☑ | filtername | filtername | (n/a) | |
| ☑ | filtertype | filtertype | (n/a) | |
| ☑ | group | group | local-group1 | |
| ☑ | ha_role | ha_role | (n/a) | |
| ☑ | icmpcode | icmpcode | (n/a) | |
| ☑ | icmpid | icmpid | (n/a) | |
| ☑ | icmptype | icmptype | (n/a) | |
| ☑ | init | init | (n/a) | |
| ☑ | interface | interface | port10 | |
| ☑ | level | level | notice | |
| ☑ | license_limit | license_limit | (n/a) | |
| ☑ | logdesc | logdesc | Routing log | |
| ☑ | login | login | root | |
| ☑ | manuf | manuf | (n/a) | |
| ☑ | mastersrcmac | mastersrcmac | a2:e9:00:ec:40:01 | |
| ☑ | method | method | domain | |
| ☑ | mode | mode | (n/a) | |
| ☑ | msg | msg | OSPF: RECV[Hello]: From 31.1.1.1 via port9:172.16.200.1: Invalid Area ID 0.0.0.0 | |
| ☑ | name | name | (n/a) | |
| ☑ | netid | netid | (n/a) | |
| ☑ | onwire | onwire | (n/a) | |
| ☑ | osname | osname | Ubuntu | |
| ☑ | outintf | outintf | (n/a) | |
| ☑ | policyid | policyid | 1 | |
| ☑ | poluuid | poluuid | 707a0d88-c972-51e7-bbc7-4d421660557b | |
| ☑ | policytype | policytype | policy | |
| ☑ | polmode | polmode | learn | |
| ☑ | poluuid | poluuid | 707a0d88-c972-51e7-bbc7-4d421660557b | |
| ☑ | profile | profile | g-default | |
| ☑ | proto | proto | 6 | |
| ☑ | qclass | qclass | (n/a) | |
| ☑ | qtype | qtype | (n/a) | |
| ☑ | quarskip | quarskip | File-was-not-quarantined. | |
| ☑ | radioband | radioband | (n/a) | |
| ☑ | rcvdbyte | rcvdbyte | 39898 | |
| ☑ | rcvdpkt | rcvdpkt | 37 | |
| ☑ | reason | reason | malformed input | |
| ☑ | reqtype | reqtype | direct | |
| ☑ | result | result | (n/a) | |
| ☑ | role | role | (n/a) | |
| ☑ | security | security | (n/a) | |
| ☑ | service | service | HTTP | |
| ☑ | sentbyte | sentbyte | 1850 | |
| ☑ | sentpkt | sentpkt | 25 | |
| ☑ | sessionid | sessionid | 8058 | |
| ☑ | severity | fortigate_severity | (n/a) | |
| ☑ | sndetected | sndetected | (n/a) | |
| ☑ | srccountry | srccountry | Reserved | |
| ☑ | srcintf | srcintf | port12 | |
| ☑ | srcintfrole | srcintfrole | undefined | |
| ☑ | srcmac | srcmac | a2:e9:00:ec:40:01 | |
| ☑ | srcname | srcname | pc1 | |
| ☑ | srcserver | srcserver | 0 | |
| ☑ | service | service | HTTPS | |
| ☑ | ssid | ssid | (n/a) | |
| ☑ | stamac | stamac | (n/a) | |
| ☑ | status | status | success | |
| ☑ | subtype | subtype | forward | |
| ☑ | trandisp | trandisp | snat | |
| ☑ | transip | transip | 172.16.200.2 | |
| ☑ | transport | trandisp | 40772 | |
| ☑ | type | fortigate_type | traffic | |
| ☑ | ui | ui | (n/a) | |
| ☑ | user | user | bob | |
| ☑ | utmaction | utmaction | allow | |
| ☑ | utmref | utmref | 0-220586 | |
| ☑ | vcluster_state | vcluster_state | (n/a) | |
| ☑ | vd | vd | vdom1 | |
| ☑ | virus | virus | EICAR_TEST_FILE | |
| ☑ | vpntunnel | vpntunnel | (n/a) | |
| ☑ | xauthgroup | xauthgroup | (n/a) | |
| ☑ | xauthuser | xauthuser | (n/a) |
High-Cardinality (HC) Tags
SrcIPDstIP
Example Logs
Block SSL Traffic
textaction="blocked" dstintf="unknown-0" dstintfrole="undefined" dstip="172.16.200.99" dstport="8080" eventtype="ssl-anomalies" level="warning" logid="1700062053" msg="Connection is blocked due to unsupported SSL traffic" policyid="1" profile="block-unsupported-ssl" proto="6" reason="malformed input" service="SMTPS" sessionid="11424" srcintf="port2" srcintfrole="undefined" srcip="10.1.100.66" srcport="41296" subtype="ssl" type="utm" vd="vdom1"
Successful Authentication
textdate=2019-05-13 time=15:55:56 logid="0102043008" type="event" subtype="user" level="notice" vd="root" eventtime=1557788156913809277 logdesc="Authentication success" srcip=10.1.100.11 dstip=172.16.200.55 policyid=1 interface="port10" user="bob" group="local-group1" authproto="TELNET(10.1.100.11)" action="authentication" status="success" reason="N/A" msg="User bob succeeded in authentication"
Web Access Denied
textdate=2019-05-13 time=16:29:45 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1557790184975119738 policyid=1 sessionid=381780 srcip=10.1.100.11 srcport=44258 srcintf="port12" srcintfrole="undefined" dstip=185.244.31.158 dstport=80 dstintf="port11" dstintfrole="undefined" proto=6 service="HTTP" hostname="morrishittu.ddns.net" profile="test-webfilter" action="blocked" reqtype="direct" url="/" sentbyte=84 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=26 catdesc="Malicious Websites" crscore=30 craction=4194304 crlevel="high"