Skip to main content
fittan
fittan
New Member
August 10, 2018
Question

How to monitor attacks from the Internet?

  • August 10, 2018
  • 3 replies
  • 29554 views

Hi, totally newbie here. I came from Cisco background and just deployed my first 100E firewall. Great firewall and I am getting familiar with the firewall now. 

 

My only gripe is that I cannot find any way to monitor traffic on the "outside" interface. No real time logs and no reports either. Fortigate is excellent showing me all sorts of log from the "inside" (web, antivirus, ips, dns, etc). But as for events on the "outside", I am clueless (feels like I am driving blind). I have called Fortigate support several times and they are somewhat surprised about my request and later concurred that there is no such "functionality". 

 

Am I missing something here? Or is there really no way to monitor? Thanks in advance. 

    3 replies

    fittan
    fittanAuthor
    New Member
    August 13, 2018

    Hi, replying to my own thread here since no one has responded. Can someone confirm that it is not possible to have a log of external attacks?

     

    I have managed firewalls for many years and every other vendor from Cisco to Sonicwall provides log to have some visibility of external connections. I have tried to enable syslog on the Fortigate, but again it only shows "internal" logs, nothing on "external" traffic. 

     

    Am I the only one who cares what is on the outside? Does't anyone want to have some visibility? It is a bit frustrating to say the least. 

     

     

    fittan
    fittanAuthor
    New Member
    August 13, 2018

    68 views and no one can help? Can someone please answer:

     

    1) Yes...you can view logs of traffic to your outside interface (i.e. external threat) or 

     

    2) No...it cannot be done (and why would you want to do that). We are only concern with logging internal threats....external threats are not important.

    tanr
    tanr
    New Member
    August 13, 2018

    I'm not an expert at all, but a few questions, comments, and hopefully answers.

     

    Are you looking at logs on a FortiGate, or using a FortiAnalyzer (best way to deal with Fortinet logs), and which firmware versions are you running?  Can you give some specific examples of what you're looking for?  

     

    Do you have your Implicit Deny rule (bottom of the security policy rules) set to log?

    If on a FortiGate, have you looked at Log & Report > Local Traffic, and filtered by Source Interface equal to one or all of your wan ports?

     

    Beyond all that, it sounds like you want the logs related to local-in-policy (config firewall local-in-policy) which is what deals with direct access to the firewall.  See https://forum.fortinet.com/tm.aspx?m=154480 for a discussion of this.  Note the gotcha I ran into with this when my local-in-policy rules had the same IDs as "normal" security policies. 

     

    To log the local-in-policy logs:

     

    config log setting

      set local-in-allow enable

    end

     

    While you're in the "config log setting" section, type "set ?" to see some of the other options there, like local-in-deny-broadcast, etc.

     

    Hope this helps.

    JardaTesar
    JardaTesar
    New Member
    August 15, 2018

    Hi, I am kinda newbie too. I deployed my 61E about a month ago, but I found few things that might be helpful. I am using Virtual IPs for connection to my servers, pair with Policies for each VIP group, these policies have Antivirus, Intrusion prevention, DNS filter, Web Application Firewall and SSL inspection enabled (and Anti spam profile for mail server), then these policies are set to Log security violations. This way I can see in Log & Report in each category (AV, Antispam, IPS, etc..) if I filter by Policy what attacks were caught by each security profile, so I can monitor attacks on basic vulnerabilities (like brute forces, and so on) which were blocked, as well as Spam filtering for SMTP and caught viruses coming to my network from outside. If you wanted to monitor attacks pointed directly to Fortigate (like management ports, VPN, ...) you would have to enable feature in Settings to show Local policies and setup these policies the same as those for VIPs to monitor the attacks.

    JNehru
    JNehru
    New Member
    August 15, 2018

    I use Kasper sky to save my data for hackers around the world. All of us know about the attack after the occurrence, so there is no way you can know before it. 

    I also use ivacy vpn to hide my IP address from hackers. Ivacy vpn is offering advance features like NAT Firewall and Dedicated IP which ensures complete security.  For more info on how to save yourself online here is a blog https://www.sgsme.sg/reso...emselves-cyber-attacks

     

    fittan
    fittanAuthor
    New Member
    August 21, 2018

    Tanr,

            I finally got it to display external traffic thanks to your suggestion about enabling "local-in-allow". After enabling this, I am able to view logs of outside source (their ip, countries, etc) trying to hit my outside IP and I can clearly see that they are "Deny". This is really counter intuitive...meaning to see outside threat, I have to view "local traffic". Anyway, thanks to you, it was a great help.

           

     

          

     

    Mertozturk
    Mertozturk
    New Member
    January 17, 2022

    Hi Fittan,

     

    Can you help me about enabling Local-In-Allow ?

     

    Thank you so much,

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    January 17, 2022

    Hey Mertozturk,

    if you want to enable logging for local traffic:
    #config log setting
    #set local-in-allow enable
    #end
    This doc provides details on what CLI log settings there are, you might need to select the correct firmware version and then browse to 'CLI configuration commands > log > log setting':
    https://docs.fortinet.com/document/fortigate/6.2.9/cli-reference/443620/config-log-setting

    Terms & ConditionsAccessibility statement