Technical Tip: Meaning of the field 'hostname' in UTM traffic log when virtual IP (VIP) is enabled
| Description | This article describes thatif virtual IP (VIP) is configured, the VIP is used in the field 'hostname' of UTM traffic log. |
| Scope | |
| Solution | In FortiGate, when virtual IP is configured, log (e.g. UTM log) will have the field 'hostname'.
This is the virtual IP configured. For example, in topology below, external VIP 10.20.20.31 is translated to 10.30.30.2 by DNAT.
# config firewall vi edit "vip_10.20.20.40" set uuid d023a770-780b-51ec-8a14-36630d1f08c4 set extip 10.20.20.40 set mappedip "10.30.30.2" set extintf "any" next end
# config firewall polic edit 1 set name "allow_vip" set uuid 19ad7b00-780c-51ec-89cf-2e4c338cdd7f set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "vip_10.20.20.40" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set ips-sensor "default" set application-list "default" set logtraffic all set nat enable next end
UTM log of this firewall policy will be marked with the field 'hostname' in which the VIP of '10.20.20.40' is recorded in addition to the DNAT’d destination IP of '10.30.30.2'.
date=2022-01-18 time=11:14:51 eventtime=1642475691816721487 tz="+0800" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=34039 srcip=10.20.20.20 dstip=10.30.30.2 srcport=61467 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 sessionid=1181 applist="default" action="pass" appcat="Web.Client" app="HTTP.BROWSER_Chrome" hostname="10.20.20.40" incidentserialno=208666628 url="/cd45133ba9b7d33f34c02f202e936609/ng/ng.chunk-36.js" msg="Web.Client: HTTP.BROWSER_Chrome," apprisk="elevated"
Reference: https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/510402/static-virtual-ips |