Scribd Logo
Importer

Bienvenue sur Scribd !

  • Logging and Monitoring Logs

    Transféré par

    irving
    18 vues48 pages
    The document discusses logging and monitoring capabilities of network devices. It covers defining severity levels for logs, configuring storage locations for logs, viewing and searching logs, generating reports from stored logs, and downloading raw log files. Logging levels include debug, info, notice, warning, error, critical, alert, and emergency. Logs can be stored locally or sent to remote syslog servers, FortiAnalyzer devices, or FortiCloud for analysis and reporting.

    Description originale:

    firewall

    Titre original

    02 - Logging _ Report

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    The document discusses logging and monitoring capabilities of network devices. It covers defining severity levels for logs, configuring storage locations for logs, viewing and searching logs, generating reports from stored logs, and downloading raw log files. Logging levels include debug, info, notice, warning, error, critical, alert, and emergency. Logs can be stored locally or sent to remote syslog servers, FortiAnalyzer devices, or FortiCloud for analysis and reporting.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    18 vues48 pages

    Logging and Monitoring Logs

    Transféré par

    irving
    The document discusses logging and monitoring capabilities of network devices. It covers defining severity levels for logs, configuring storage locations for logs, viewing and searching logs, generating reports from stored logs, and downloading raw log files. Logging levels include debug, info, notice, warning, error, critical, alert, and emergency. Logs can be stored locally or sent to remote syslog servers, FortiAnalyzer devices, or FortiCloud for analysis and reporting.

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 48

    2.

    Logging and Monitoring


    Module Objectives
    ❑ By the end of this module participants will be able to:
    ▪ Identify the severity levels assigned to logs
    ▪ Define the storage location for log information
    ▪ View and search logs
    ▪ Configure content archiving
    ▪ Generate reports from stored log information
    Logging and Monitoring
    Logging and Monitoring

    ❑ Logging and monitoring are key elements in


    maintaining devices on the network
    ▪ Monitor network and Internet traffic
    ▪ Track down and pinpoint problems
    ▪ Establish baselines
    Logging Severity Levels
    Debug
    Information

    Notice

    Warning

    Error

    Critical

    Alert
    Emergency
    Logging Severity Levels
    Information

    ❑ Administrators define the severity level at which the


    Notification
    Firewall unit records log information
    ❑ All messagesWarning
    at, or above, the minimum severity level
    will be logged
    ▪ Emergency =Error
    System unstable
    ▪ Alert= Immediate action required
    ▪ Critical = Functionality
    Critical affected
    ▪ Error = Error exists that can affect functionality
    ▪ Alert could be affected
    Warning = Functionality
    ▪ Notice = Info about normal events
    Emergency
    ▪ Information = General system information
    ▪ Debug = Debug log messages
    Log Severity Level
    • Log severity level indicated in the pri field of the log message

    2010-01-11 14:23:37 log_id=0104032126


    type=event subtype=admin pri=notice vd=root
    user=admin ui=GUI(192.168.96.1) seq=3 msg="User
    admin added new firewall policy 3 from
    GUI(192.168.96.1)"

    notification = normal event


    Deleting Logs
    ❑Delete all local logs, log archives, and user
    configured report templates using this command
    exec log-report reset
    ❑ Also restores default UTM activity report if it has been modified
    Log Storage Locations

    Syslog FortiCloud SNMP

    Local logging
    Remote logging
    Log Types
    Event logs
    Traffic logs

    Attack logs
    Antivirus logs
    Web filter logs
    UTM logs

    Email filter logs


    DLP logs
    Application control logs

    Network scan logs


    Generating Logs in UTM Profiles
    and Sensors

    Page: 90
    Generating Logs in Firewall Policies

    Page: 92
    Generating Logs in Event Log

    Page: 91
    Log Viewer Filtering
    ❑ Use Filter Settings to customize the display of log messages to show
    specific information in log messages
    ▪ Reduce the number of log entries that are displayed
    ▪ Easily locate specific information
    Log Viewer Filtering
    ❑ Example: View only traffic log messages recorded last one hour
    Download Raw Logs
    ❑ Raw logs can be downloaded, including archived log messages
    ❑ Raw log file is downloaded to the management computer and saved as a
    text file
    ▪ Can be viewed in a text editor such as Notepad
    ❑ Log file name format:
    <log name><number>.log (for example: elog0101.log)
    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1
    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    The type and subtype fields = log file that message is recorded in (for
    example, data leak prevention)
    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    policyid = id number of firewall policy matching the session


    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    Each message has a unit a unique log id number that helps to identify them
    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    status = action taken by the FortiGate unit


    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    msg = activity that was recorded, for example, DLP detected (matched the
    rule called All-HTTP in the DLP sensor)
    Viewing Log Messages (Raw)
    ❑ Fields in each log message are arranged into two groups:
    ▪ Log header
    2011-01-08 12:55:06 log_id=32001 type=dlp
    subtype=dlp pri=notice vd=root
    ▪ Log body
    policyid=1 identidx=0 serial=73855 src=“10.10.10.1”
    sport=1190 src_port=1190 srcint=internal dst=“192.168.1.122”
    dport=80 dst_port=80 dst_int=“wan1” service=“https”
    status=“detected”
    hostname=“example.com”url=“/image/trees_pine_forest/
    ”msg=“data leak detected(Data Leak Prevention Rule matched)”
    rulename=“All-HTTP” action=“log-only” severity=1

    action = how Firewall unit deals with the activity, for example, log the event
    only
    LOG SETTINGS
    Logging to a Firewall Device

    Register
    Logging to Fortianalyzer Device / Local
    Reports
    Logging to a FortiAnalyzer Device

    ❑ Fortinet Discovery Protocol (FDP) used to locate


    Firewall Analyzer device
    ❑ SSL-secured OFTP used to encrypt communicati
    between Firewall devices
    config log firewall analyzer setting set
    enc-algorithm
    Register
    Logging to a FirewallAnalyzer Device
    ❑ Real-time upload of logs to the Firewall Analyzer device is disabled by
    default on Firewall devices with a hard drive. To enable:
    config log firewallanalyzer setting
    set status enable
    set server <FAZ_IP_Address>
    set enc-algorithm disable
    set upload-option realtime (default is “store-and-upload”)
    ❑ CLI or Web Config can be used to configure the settings for uploading logs
    to FirewallAnalyzer or FortiGuard Analytics Service
    config log request-fgt upload [set|get]
    ❑ Logging Buffer rate setting (20 to 20,000) in CLI only
    ❑ Upload Time Period setting only available in Web Config after it is
    configured in the CLI (daily, weekly or monthly)
    Store-and-Upload
    ❑ Default FirewallGuard Analytics Service/Firewall Analyzer logging behavior
    for models with a hard drive
    ▪ Daily, weekly or monthly upload option
    ▪ Log event created for each upload action
    ▪ Hard-coded thresholds for auto upload when the hard drive maximum
    quota is reached
    ✓ If 70% capacity >> THEN upload 20% of oldest logs
    ❑ Firewall models without a hard drive will still send logs in real-time
    Device Registration

    Ignore connection

    Allow connection but do not keep data

    Allow connection and keep some data


    Unregistered
    device Add as registered and keep data
    (DEFAULT)
    Logging to Multiple
    FirewallAnalyzer Devices
    FirewallAnalyzer1 FirewallAnalyzer2 FirewallAnalyzer3

    Event Web filter Traffic


    logs logs logs
    Uploading Logs to FTP Server
    ❑ Text format allows for easier viewing using text editors
    ❑ Only available for Firewall models with hard drives and only for
    uploading to a FTP server
    set upload enable
    set upload-destination ftp-server
    set uploadip 172.16.120.154
    set uploadport 443
    set uploaduser test_user
    set uploadpass 123456
    set uploaddir C:\Logs_FGT
    set uploadtype appctrl attack dlp event spamfilter traffic virus
    webfilter
    set uploadzip enable
    set uploadformat text
    set uploadsched enable
    set uploadtime 7
    Content Archiving

    Archive
    Content Archiving
    ❑ Log and archive copies of content transmitted over
    the network
    ❑ Summary archives
    ▪ Metadata only
    ❑ Full archives
    ▪ Summary and hyperlink to archived file or
    message
    ❑ Enabled through Data Leak Prevention rules
    ❑ When logging to multiple Firewall units, DLP
    archives can be sent to both the second and third
    FirewallAnalyzer units
    Archive
    ▪ Avoids any lost DLP archives
    Logging to FirewallCloud
    Registration to FirewallCloud

    ❑ Web Portal (www.forticloud.com) ❑ Firewall GUI


    ▪ Admin privileges ▪ View privileges

    ❑ Registered Devices
    Firewallcloud Dashboard
    Firewallcloud Management
    FirewallCloud Backup
    Alert Email
    Alert Email

    ❑ Send notification to email address upon detection


    of defined event
    ❑ Identify SMTP server name
    ❑ Configure at least one DNS server
    ❑ Up to three recipients per mail server
    SNMP, go trough Net Admin genial.ly class 1
    SNMP agent Firewall MIB

    Managed device SNMP manager


    SNMP
    SNMP agent

    ❑ Traps received by agent sent to SNMP manager


    ❑ Configure Firewall unit interface for SNMP access
    ❑ Compile and load Fortinet-supplied MIBs into
    Managed device SNMP managerSNMP manager
    ❑ Create SNMP communities to allow connection
    from Firewall unit to SNMP manager
    Reporting

    Report
    Reporting
    ❑ Default Report
    Reporting
    ❑ Report Editor
    Reporting
    ❑ Historical Reports
    Monitor
    ❑ Monitor sub-menus found in Web Config for all main function menus
    ❑ User-friendly display of monitored information
    ❑ View activity of a specific feature being monitored such as Firewall, UTM,
    VPN, Router, WiFi, Endpoint Security etc.

    Vous aimerez peut-être aussi