Skip to main content
mhdganji
mhdganji
Explorer III
June 10, 2022
Solved

View fortigate AV and IPS logs

  • June 10, 2022
  • 6 replies
  • 30828 views

Hi,

What I'm simply looking for is to see logs (detailed and meaningful logs) about Fortigate viruses and attacks detected by rules where IPS and AV are enabled in security profile. For now, with logs on memory (via live GUI or console CLI not using any solution like Fortianalyzer).

With logging enabled on an Internet-facing firewall, I expect to see a lot of IPS logs pointing to a specific attack. Also, I expect to see files being blocked by AV engine (A simple test including downloading a sample virus file from Internet will suffice)

 

At the time being, I cannot see any logs in GUI except rules logs. Should I configure any additional settings on logs? use 3rd party and remote logging? enable SSL inspection with custom settings for both outgoing and incoming traffic? or ......

 

Regards,

 

Best answer by sjoshi

Hi mhdganji,

 

Thank you for posting to the Fortinet Community Forum.

 

From you problem description you are not able to see the relevant AV & IPS logs in the FGT GUI.

 

You can go to Log & Reports> Antivirus
Similarly, for IPS Log & Reports> Intrusion Prevention
There you can find the AV & IPS logs

 

Also it is recommended to do the following changes.

 

config antivirus profile
edit <av_profilename>
set extended-log enable
set av-virus-log en
set av-block-log en

 

config ips sensor
edit <ips_name>
set extended-log enable

 

Also whenever you are selecting filter/signatures in IPS entries make sure to enable packet logging.
Post the following changes you should be able to get the relevant logs
Also if you used deep inspection in the policy then the signature has higher chances of catching the virus because with deep inspection the whole payload scanning will be done.

Let us know if this helps.

Thanks

6 replies

vponmuniraj
Staff
vponmuniraj
Staff
June 11, 2022

Hi, 

 

Are you able to simulate / test with any tool & check if logs are visible? 

 

Depending on the services being accessed you might need a deep inspection SSL profile to catch the attacks. 

 

 

Regards,

    Rathan_FTNT
    Staff
    Rathan_FTNT
    Staff
    June 11, 2022

    Hello,


    If you require a sample, or safe virus to test your FortiGate configuration, visit the URL below to obtain an EICAR (European Institute for Computer Antivirus Research) test file.

    http://www.eicar.org/anti_virus_test_file.htm
    download the sample file in test PC and as per design the fortigate should block the virus

    1> Set log severity to information
    <if its memory logging >
    #config log memory fileter
    #set severity information
    end

    2> You have to enable log all sessions in the policy

    3> you can geneterate a test log by executing the below command
    #diag log test

     

      sjoshi
      Staff
      sjoshiAnswer
      Staff
      June 11, 2022

      Hi mhdganji,

       

      Thank you for posting to the Fortinet Community Forum.

       

      From you problem description you are not able to see the relevant AV & IPS logs in the FGT GUI.

       

      You can go to Log & Reports> Antivirus
      Similarly, for IPS Log & Reports> Intrusion Prevention
      There you can find the AV & IPS logs

       

      Also it is recommended to do the following changes.

       

      config antivirus profile
      edit <av_profilename>
      set extended-log enable
      set av-virus-log en
      set av-block-log en

       

      config ips sensor
      edit <ips_name>
      set extended-log enable

       

      Also whenever you are selecting filter/signatures in IPS entries make sure to enable packet logging.
      Post the following changes you should be able to get the relevant logs
      Also if you used deep inspection in the policy then the signature has higher chances of catching the virus because with deep inspection the whole payload scanning will be done.

      Let us know if this helps.

      Thanks

      Thanks, Salon
        A
        Anonymous_User
        Contributor
        June 13, 2022

        Hi there,

        Please run command:
        Diag log test

         

        To see if you can see any dummy logs there.
        If not, please run below config:

        config log memory filter

        set severity information

        end

         

        and run the diag log test again.

          mhdganji
          mhdganjiAuthor
          Explorer III
          June 13, 2022

          Thanks so much to all. I will test these and at the very first, I should setup SSL inspection for outgoing traffic on my device. I will post the results in a few days.

          mhdganji
          mhdganjiAuthor
          Explorer III
          June 24, 2022

          I set up SSL deep inspection and now am able to find the viruses in https links too, but, while testing this with TekDefense.com (http://www.tekdefense.com/downloads/malware-samples/)

          some files are recognized nut some not. For instance:

           

          This one is recognized and blocked

          http://www.tekdefense.com/downloads/malware-samples/malz4.zip

           

          but these are downloaded and not blocked

          http://www.tekdefense.com/downloads/malware-samples/malz5.zip

          http://www.tekdefense.com/downloads/malware-samples/yitaly.exe.zip

           

          I'm using the firewall in proxy mode (provides Internet to users via web proxy) and the mail policy rule to provide internet is proxy based.

           

          Would you please give me hints what is the root cause? size of file? types of viruses? type of files or?

           

          Regards,

           

          Terms & ConditionsAccessibility statement