Skip to main content
anjali
anjali
Explorer
July 5, 2022
Solved

Regarding Fortigate Events

  • July 5, 2022
  • 1 reply
  • 6085 views

Hi all,

Can anyone tell me the difference between traffic:forward and traffic:local in fortigate logs?

Also, what is utm:app-ctrl event?

Best answer by kcheng

Hi @anjali 

 

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

 

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-types-and-subtypes

1 reply

kcheng
Staff & Editor
kchengAnswer
Staff & Editor
July 5, 2022

Hi @anjali 

 

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

 

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-types-and-subtypes

    anjali
    anjaliAuthor
    Explorer
    July 5, 2022

    Hi kcheng,

    Thank you for the reply!!

    Is there any way to know which application is aasociated with utm-appctrl events.

    kcheng
    Staff & Editor
    kcheng
    Staff & Editor
    July 5, 2022

    Hi @anjali 

     

    Yes, you can view that in the Application Control profile page to check all the setting on the apps. If you are looking purely at the UTM logs, you should be able to find the application name in the log. For example, the following logs indicate that the connection is blocked due to Facebook being detected as the application (which was configured as blocked in the application control profile):

    date=2022-07-05 time=16:54:16 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" eventtime=1657011256098547357 tz="+0800" appid=15832 srcip=x.x.x.x dstip=179.60.194.35 srcport=55923 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="SSL" direction="outgoing" policyid=1 sessionid=67984 applist="default" action="block" appcat="Social.Media" app="Facebook" hostname="facebook.com" incidentserialno=1894810992 url="/" msg="Social.Media: Facebook," apprisk="medium"

     

      Terms & ConditionsAccessibility statement