Greetings! Welcome to course ninth lesson Fortinet getting started. In the last lesson, we examined the basic mechanisms for controlling user access to various resources. Now we have another task – it is necessary to analyze the behavior of users on the network, as well as to configure the receipt of data that can help in the investigation of various security incidents. Therefore, in this lesson we will consider the mechanism of logging and reporting. To do this, we need the FortiAnalyzer, which we deployed at the beginning of the course. The necessary theory, as well as a video lesson are available under the cut.
FotiGate logs are divided into three types: traffic logs, event logs and security logs. They, in turn, are divided into subtypes.
Traffic logs record traffic flow information, such as requests and responses, if any. This type contains subtypes of Forward, Local, and Sniffer.
The Forward subtype contains information about traffic FortiGate either accepted or rejected in accordance with firewall policies.
The Local subtype contains traffic information directly from the FortiGate IP address and from the IP addresses from which administration is carried out. For example, connections to the FortiGate web interface.
The Sniffer subtype contains the logs of traffic that was obtained using traffic mirroring.
Event logs contain system or administrative events, such as adding or changing parameters, establishing and breaking VPN tunnels, dynamic routing events, and so on. All subtypes are shown in the figure below.
And the third type is security logs. These logs record events related to virus attacks, visits to prohibited resources, use of prohibited applications, and so on. A complete list is also presented in the figure below.
Logs can be stored in different places – both on FortiGate itself and beyond. Storing logs on FortiGate is considered local logging. Depending on the device itself, logs can be stored either in the device’s flash memory or on the hard disk. Typically, middle models have a hard drive. Models with a hard drive are quite easy to distinguish – in the end there is a unit. For example, FortiGate 100E comes without a hard drive, while FortiGate 101E comes with a hard drive.
Younger and older models usually do not have a hard drive. In this case, flash memory is used to record logs. However, it should be borne in mind that the constant recording of logs in flash memory can reduce its effectiveness and service life. Therefore, logging to flash memory is disabled by default. It is recommended to enable it only for event logging while solving specific problems.
With intensive logging, it doesn’t matter on the hard disk or flash memory – the device’s performance will decrease.
Log storage on remote servers is quite common. FortiGate can store logs on Syslog servers, FortiAnalyzer or FortiManager. You can also use FortiCloud cloud service to store logs.
Syslog is a server for central storage of logs from network devices.
FortiCloud is a subscription-based security and log management service. With its help, you can remotely store logs and build relevant reports. If you have a fairly small network, a good solution might be just to use this cloud service, rather than buying additional equipment. There is a free version of FortiCloud, which implies a weekly storage of logs. After purchasing a subscription, logs can be stored for a year.
FortiAnalyzer and FortiManager are external log storage devices. Due to the fact that they all have the same operating system – FortiOS – FortiGate integration with these devices is not difficult.
But the differences between FortiAnalyzer and FortiManager devices should be noted. The main goal of FortiManager is the centralized management of several FortiGate devices – therefore, the amount of memory for storing logs on FortiManager is significantly less than on FortiAnalyzer (if, of course, you compare models from the same price segment).
The main goal of FortiAnalyzer is to collect and analyze logs. Therefore, it is precisely the work with him that we will consider later in practice.
The whole theory, as well as the practical part, is presented in this video tutorial:
In the next lesson, we’ll cover some of the highlights of FortiGate device administration. In order not to miss it, stay tuned for updates on the following channels: