Logging and reporting, Recording logs, 309 | Fortinet FortiGate-800

FortiGate-800 Installation and Configuration Guide Version 2.50

Logging and reporting

You can configure the FortiGate unit to log network activity from routine configuration changes and traffic sessions to emergency events. You can also configure the FortiGate unit to send alert email messages to inform system administrators about events such as network attacks, virus incidents, and firewall and VPN events.

This chapter describes:

•Recording logs

•Filtering log messages

•Configuring traffic logging

•Viewing logs saved to memory

•Viewing and managing logs saved to the hard disk

•Configuring alert email

Recording logs

You can configure logging to record logs to one or more of:

•a computer running a syslog server,

•a computer running a WebTrends firewall reporting server,

•the FortiGate hard disk (if your FortiGate unit contains a hard disk),

•the console.

For information about filtering the log types and activities that the FortiGate unit records, see “Filtering log messages” on page 313. For information about traffic logs, see “Configuring traffic logging” on page 314.

This section describes:

•Recording logs on a remote computer

•Recording logs on a NetIQ WebTrends server

•Recording logs on the FortiGate hard disk

•Recording logs in system memory

•Log message levels

FortiGate-800 Installation and Configuration Guide

309

Image 309

Fortinet FortiGate-800 manual Logging and reporting, Recording logs, 309

Contents

January 15 Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Flexibility demanded by large enterprises Introduction Antivirus protection Web content filtering Firewall Email filtering Transparent mode NAT/Route modeVLANs and virtual domains Network intrusion detection High availability VPN Web-based manager Secure installation, configuration, and management Logging and reporting Command line interface Fortinet documentation Document conventions Comments on Fortinet technical documentation Customer service and technical support Customer service and technical support Getting started Mounting Package contents Power requirements Powering onEnvironmental specifications To power on the FortiGate-800 unit To connect to the web-based manager Connecting to the web-based manager To connect to the CLI Connecting to the command line interface CLIBits per second 9600 Data bits Parity Stop bits Flow control Factory default NAT/Route mode network configuration Factory default FortiGate configuration settingsAccount Internal interface Factory default Transparent mode network configuration Factory default firewall configuration Strict content profile Factory default content profiles Scan content profile Strict content profile OptionsScan content profile Options Unfiltered content profile Web content profileWeb content profile Options Unfiltered content profile Options Example NAT/Route mode network configuration Planning the FortiGate configuration Example NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connections Setup wizard Configuration options Front keypad and LCD FortiGate model maximum values matrix Signatures Antivirus file Block patterns Web filter Next steps Preparing to configure NAT/Route mode NAT/Route mode installation Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDhcp server Starting the setup wizard Using the setup wizardReconnecting to the web-based manager DMZ and user-defined interfaces Using the command line interface Using the front control buttons and LCDConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Set system interface external mode static ip 204.23.1.5 To connect the FortiGate unit running in NAT/Route mode Connecting the FortiGate unit to your networks To connect to FortiGate-800 user-defined interfaces FortiGate-800 External Example FortiGate-800 user-defined interface connections Configuring your networks Configuring the DMZ interface Completing the configurationConfiguring interfaces 1 to Setting the date and time Configuration example Multiple connections to the Internet Configuring virus and attack definition updatesRegistering your FortiGate unit Internal Configuring ping servers Primary and backup links to the Internet Using the CLIDestination-based routing examples Go to System Network Routing Table Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table To add the routes using the CLI Policy routing examples Routing a service to an external network Destination DMZAll Schedule Always Service Adding a redundant default policyFirewall policy example Adding more firewall policies Restricting access to a single Internet connection Configuration example Multiple connections to the Internet Preparing to configure Transparent mode Transparent mode installationTransparent mode settings Administrator Password DNS Settings Go to System Status Changing to Transparent mode using the web-based manager Operation mode Transparent Changing to Transparent mode using the CLI Configuring the Transparent mode management IP address Configure the Transparent mode default gatewayEnabling antivirus protection Connecting the FortiGate unit to your networks FortiGate-800 Transparent mode configuration examples Example default route to an external network Default routes and static routes Default route to an external network General configuration steps CLI configuration steps Web-based manager example configuration stepsExample static route to an external destination Go to System Network Management DMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Configuring FortiGate units for HA operation Configuring an HA clusterTo configure a FortiGate unit for HA operation Go to System Config HA None Weighted Round RobinHub Least Connection Example Active-Active HA configuration Connecting the cluster To connect the cluster HA network configuration Managing an HA cluster Adding a new FortiGate unit to a functioning clusterTo add a new unit to the cluster Configuring cluster interface monitoring Monitoring cluster members Viewing the status of cluster members Example cluster CPU, memory, and hard disk display To set the update frequency Viewing and managing cluster log messages Viewing cluster sessions Monitoring cluster units for failover Viewing cluster communication sessionsManaging individual cluster units Changing cluster unit host names To manage a cluster unitTo set the host name of each cluster member Keyword Description Synchronizing the cluster configuration Upgrading firmware Replacing a FortiGate unit after failover Advanced HA optionsSelecting a FortiGate unit as a permanent primary unit To select a permanent primary unit To set the priority of each FortiGate unit in a cluster Configuring weighted-round-robin weights Active-active HA packet flow Active-Active cluster packet flow NAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System status Changing the FortiGate host name Firmware upgrade procedures Procedure DescriptionChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the CLI Upgrading the firmware using the web-based managerTo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Execute ping Reverting to a previous firmware version Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot 100 Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing it101 To test a new firmware image 102 Installing and using a backup firmware image Installing a backup firmware image103 104 To install a backup firmware image Switching to the backup firmware image To switch to the backup firmware image105 Switching back to the default firmware image Manual virus definition updatesTo switch back to the default firmware image To update the antivirus definitions manually To update the attack definitions manually Manual attack definition updatesDisplaying the FortiGate serial number 107 Restoring system settings Backing up system settingsDisplaying the FortiGate up time Displaying log hard disk status Changing to Transparent mode Restoring system settings to factory defaultsTo change to Transparent mode Go to System Status 109 To change to NAT/Route mode Go to System Status Changing to NAT/Route modeRestarting the FortiGate unit Shutting down the FortiGate unit Viewing CPU and memory status System status111 To view CPU and memory status Go to System Status Monitor CPU and memory status monitor Viewing sessions and network status 113 Viewing virus and intrusions status To view the session list Go to System Status Session Session list Protocol 115 116 Virus and attack definitions updates and registration Updating antivirus and attack definitions117 Go to System Update Connecting to the FortiResponse Distribution NetworkVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN 119 Manually initiating antivirus and attack definitions updates Configuring update logging Scheduling updatesEnabling scheduled updates 120 To add an override server Go to System Update Adding an override server121 Enabling push updates Enabling scheduled updates through a proxy server122 Push updates when FortiGate IP addresses change Enabling push updatesTo enable push updates Go to System Update 123 Enabling push updates through a NAT device Example push updates through a NAT device124 125 General procedure 126 Schedule Always Service ANY Action Accept To configure the FortiGate NAT deviceAdding a firewall policy for the port forwarding virtual IP 127 128 Registering FortiGate units 129 FortiCare Service Contracts 130 Registering the FortiGate unit 131 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units132 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number133 Changing your Fortinet support password Changing your contact information or security question134 135 Downloading virus and attack definitions updates 136 Registering a FortiGate unit after an RMA Network configuration Configuring zones137 Adding zones Configuring interfacesDeleting zones 138 Viewing the interface list Changing the administrative status of an interfaceAdding an interface to a zone 139 Configuring an interface with a manual IP address Configuring an interface for Dhcp140 141 Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface142 143 Controlling administrative access to an interface Configuring the management interface in Transparent mode Configuring traffic logging for connections to an interfaceChanging the MTU size to improve network performance 144 145 Vlan overview Rules for Vlan IDs VLANs in NAT/Route modeRules for Vlan IP addresses 146 Adding Vlan subinterfaces Virtual domains in Transparent mode147 To add Vlan subinterfaces Go to System Network Interface FortiGate unit with two virtual domains 148 Virtual domain properties Configuring a virtual domainAdding a virtual domain 149 Adding Vlan subinterfaces to a virtual domain Adding zones to virtual domains150 To add a zone to a virtual domain Go to System Network Zone 151 Adding addresses for virtual domains Adding firewall policies for virtual domains152 Go to Firewall Address Adding DNS server IP addresses Configuring routingDeleting virtual domains 153 To add a default route Go to System Network Routing Table Adding a default routeAdding destination-based routes to the routing table 154 155 Adding routes in Transparent mode Configuring the routing table Policy routing156 Configuring Dhcp services Policy routing command syntax157 Configuring a Dhcp server Configuring a Dhcp relay agentAdding a Dhcp server to an interface Adding scopes to a Dhcp server To add a scope to a Dhcp server Go to System Network Dhcp 159 Viewing a Dhcp server dynamic IP list Adding a reserve IP to a Dhcp server160 Selected scope RIP configuration RIP settings161 Invalid 162Holddown Flush 163 Configuring RIP for FortiGate interfaces 164 Example RIP configuration for an internal interface Adding a RIP filter list Adding RIP filters165 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter166 167 Assigning a RIP filter list to the outgoing filter 168 Setting system date and time System configurationTo set the date and time Go to System Config Time 169 To set the Auth timeout Go to System Config Options To set the system idle timeout Go to System Config OptionsChanging system options 170 171 Modifying the Dead Gateway Detection settings Adding new administrator accounts Adding and editing administrator accountsTo add an administrator account Go to System Config Admin 172 Editing administrator accounts Configuring SnmpTo edit an administrator account Go to System Config Admin 173 Configuring FortiGate Snmp support Configuring the FortiGate unit for Snmp monitoringConfiguring Snmp access to an interface Configuring Snmp community settings 175 System NameSystem Location 176 FortiGate MIBs General FortiGate traps FortiGate trapsSystem traps 177 Nids traps VPN trapsAntivirus traps Logging traps Firewall configuration System configuration and statusFortinet MIB fields 179 180 Replacement messages Logging and reporting configuration181 182 Customizing replacement messages Customizing alert emails 183Alert email message sections Alert email message sections 184 185 Firewall configuration 186 Default firewall configuration Vlan subinterfaces InterfacesZones 187 Default addresses Interface Address Description ServicesAddresses Schedules Adding firewall policies Content profiles189 To add a firewall policy Go to Firewall Policy Firewall policy options Source190 Destination ServiceSchedule Action Traffic Shaping VPN Tunnel192 Dynamic IP Pool Fixed Port Anti-Virus & Web filter Authentication193 Maximum Bandwidth Traffic Priority Log Traffic Comments194 Configuring policy lists Policy matching in detail195 Enabling and disabling policies Changing the order of policies in a policy listDisabling policies Enabling policies Adding addresses Addresses197 To add an address Go to Firewall Address Editing addresses 198To edit an address Go to Firewall Address Organizing addresses into address groups Deleting addresses199 To delete an address Go to Firewall Address Services Predefined services200 GRE 201 Ldap 202 203 Adding custom TCP and UDP services Adding custom IP services Adding custom Icmp servicesGrouping services 204 205 Schedules 206 Creating one-time schedules 207 Creating recurring schedules Adding schedules to policies Virtual IPs208 To add a schedule to a policy Go to Firewall Policy 209 Adding static NAT virtual IPsTo add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal 210 Adding port forwarding virtual IPs 211 Adding policies with virtual IPs 212To add a policy with a virtual IP Go to Firewall Policy Adding an IP pool IP pools213 To add an IP pool Go to Firewall IP Pool IP Pools for firewall policies that use fixed ports IP/MAC bindingIP pools and dynamic NAT 214 Go to Firewall IP/MAC Binding Static IP/MAC 215 216 Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding217 218 Content profiles Adding content profiles Default content profilesTo add a content profile Go to Firewall Content Profile 219 Oversized File/Email Pass Fragmented Email 220 Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy221 222 223 Users and authentication Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options 225 Deleting user names from the internal database Adding Radius servers Configuring Radius supportDeleting Radius servers 226 Adding Ldap servers Configuring Ldap support227 To add an Ldap server Go to User Ldap Deleting Ldap servers 228To delete an Ldap server Go to User Ldap Adding user groups Configuring user groups229 To add a user group Go to User User Group Deleting user groups 230To delete a user group Go to User User Group 231 IPSec VPN Manual Keys Key managementAutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPNAdding a manual key VPN tunnel 233 AES128 234AES192 AES256 Adding a phase 1 configuration for an AutoIKE VPN General configuration steps for an AutoIKE VPNAutoIKE IPSec VPNs 235 236 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options237 238 239 Adding a phase 1 configuration Standard options Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase240 241 Use selectors from policyUse wildcard selectors Obtaining a signed local certificate Managing digital certificatesGenerating the certificate request 242 243 Key TypeKey Size Downloading the certificate request Importing the signed local certificate244 Obtaining CA certificates Configuring encrypt policiesImporting CA certificates 245 Adding a source address 246To add a source address Go to Firewall Address Adding an encrypt policy Adding a destination address247 To add a destination address Go to Firewall Address 248 249 IPSec VPN concentrators VPN concentrator hub general configuration steps To create a VPN concentrator configuration250 251 Adding a VPN concentrator VPN spoke general configuration steps To create a VPN spoke configuration252 253 Redundant IPSec VPNs Configuring redundant IPSec VPNs To configure a redundant IPSec VPN254 To view VPN tunnel status Go to VPN Ipsec Phase Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status 256 Testing a VPN Configuring Pptp Pptp and L2TP VPN257 258 Configuring the FortiGate unit as a Pptp gatewayTo add users and user groups To add a source address To add a source address group 259To add a destination address To add a firewall policy 260 Configuring a Windows 98 client for Pptp Configuring a Windows XP client for Pptp Configuring a Windows 2000 client for Pptp261 To connect to the Pptp VPN To configure the VPN connection 262Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway263 To add source addresses 264 265 Configuring a Windows 2000 client for L2TP To disable IPSec 266To connect to the L2TP VPN 267 Configuring a Windows XP client for L2TP 268 Network Intrusion Detection System Nids Detecting attacks269 Selecting the interfaces to monitor Configuring checksum verificationDisabling monitoring interfaces 270 Viewing the signature list Viewing attack descriptions271 Disabling Nids attack signatures Adding user-defined signatures272 273 Downloading the user-defined signature list Preventing attacks To enable Nids attack prevention Go to Nids PreventionEnabling Nids attack prevention Enabling Nids attack prevention signatures 275 Setting signature threshold values Logging attack messages to the attack log Logging attacksReducing the number of Nids attack log and email messages Automatic message reduction 277 Manual message reduction 278 General configuration steps Antivirus protection279 Antivirus scanning 280To scan FortiGate firewall traffic for viruses 281 File blocking Adding file patterns to block Blocking files in firewall traffic282 To block files in firewall traffic Quarantining infected files QuarantineQuarantining blocked files 283 Sorting the quarantine list Viewing the quarantine list284 To view the quarantine list Go to Anti-Virus Quarantine Filtering the quarantine list Configuring quarantine optionsDeleting files from the quarantine list Downloading quarantined files Configuring limits for oversized files and email Blocking oversized files and emails286 Exempting fragmented email from blocking To view the virus list Go to Anti-Virus Config Virus ListViewing the virus list 287 288 289 Web filtering Go to Web Filter Content Block Content blockingAdding words and phrases to the Banned Word list 290 291 Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list292 URL blocking Configuring FortiGate Web URL blockingAdding URLs to the Web URL block list 293 294 Clearing the Web URL block list Uploading a URL block list Downloading the Web URL block list295 To upload a URL block list Configuring Cerberian URL filtering Configuring FortiGate Web pattern blocking296 Configuring Cerberian web filter Installing a Cerberian license keyAbout the default group and policy Adding a Cerberian user To configure Cerberian web filtering Enabling Cerberian URL filtering298 Enabling script filtering Script filteringSelecting script filter options 299 Adding URLs to the URL Exempt list Exempt URL list300 Go to Web Filter URLExempt Uploading a URL Exempt List Downloading the URL Exempt List301 Go to Web Filter URL Exempt 302 303 Email filter Email banned word list Adding words and phrases to the email banned word list304 Downloading the email banned word list Uploading the email banned word list305 Adding address patterns to the email block list Email block listDownloading the email block list 306 Uploading an email block list Email exempt list307 To upload the email block list Adding a subject tag To add a subject tag Go to Email Filter ConfigAdding address patterns to the email exempt list 308 Logging and reporting Recording logs309 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server310 311 Recording logs on the FortiGate hard diskOverwrite Option Recording logs in system memory Log message levels312 To filter log entries Go to Log&Report Log Setting Filtering log messages313 314 Configuring traffic logging Enabling traffic logging for an interface Enabling traffic loggingEnabling traffic logging for a Vlan subinterface Enabling traffic logging for a firewall policy Adding traffic filter entries Configuring traffic filter settings316 Resolve IP Viewing logs saved to memory Destination IP Address Destination Netmask ServiceViewing logs 317 Searching logs Viewing and managing logs saved to the hard disk318 Keyword To view the active or saved logs Go to Log&Report Logging 319 Deleting all messages from an active log Downloading a log file to the management computerDeleting a saved log file 320 Testing alert email Configuring alert emailAdding alert email addresses 321 322 Enabling alert email 323 Glossary 324 325 326 327 Index Index 328 Dialup Pptp 329 Http 330 Ldap 331 332 Pptp dialup connection 333 334 TCP 335 Vlan 336