Description
This article describes how to configure FortiGate and FortiAnalyzer to resolve the IPs to hostname in FortiView, Log View, and Reports.
When on FortiGate under the 'FortiView' section, 'Source IP Hostname' is visible. However, on FortiAnalyzer, information is only in the IP address format. To make it visible on the FortiAnalyzer side as well, make sure the following configuration has been made on both FortiGate and FortiAnalyzer.
Scope
FortiGate, FortiAnalyzer.
Solution
- DNS must be configured in the Network section.
- As destination IP addresses can be resolved to the hostnames using DNS servers, make sure DNS is configured in the Network section.
- If enabled in the GUI (Log Settings section), hostnames will be resolved to IP:
- If using the CLI command below, IP addresses will be resolved to hostnames:
config log gui-display
set resolve-hosts enable | disable
end
This must not be confused with the following command, as this is a different option in FortiGate:
config log setting
set resolve-ip enable | disable
end
This can be verified by enabling this option in the CLI while it is disabled on the GUI and checking if it will be enabled on GUI as well.
For example:
As seen on the CLI, this option is enabled, even if Resolve Hostname is disabled:
But the following is disabled, matching the GUI setting:
-
Enable hostname resolution in CLI.
- Once connected to FortiAnalyzer, for LogView just add a column destination name, and reorder them to start analyzing the logs. If the destination name is still not visible use below CLI commands to enable the setting:
config system log settings
set dns-resolve-dstip enable
end
- Note that SOC/FortiView has its own settings which control if the destination IP addresses should be resolved or not, as this would use the FortiAnalyzer side system DNS servers to resolve both source and destination. Enable hostname resolution in the CLI:
config system fortiview setting
set resolve-ip enable
end
-
Enable Resolve hostname to get the same results in Reports. To get the same info as in the FortiView, one must enable the setting to resolve both source and destination which is only available in GUI per report:
Troubleshooting.
As on every DB rebuild, FortiAnalyzer will flood the DNS below commands can help to troubleshoot the issue
On FortiAnalyzer:
get system dns
diagnose debug enable
diagnose debug application dns 255
Check the DNS resolution flow by using the below command:
diagnose debug sniffer any “port 53” 3 0
On FortiGate:
execute ping www.google.com
execute traceroute www.google.com
- Both should return the primary IP address for a given domain.
- It is assumed, that the FortiGate unit has a valid private or public DNS configured.
- If the public is used, like FortiGuard DNS, then the private hostname will not be resolved.
- If the resolution does not work, refer to the following related KB article.
Related article:
Technical Note: FortiGate Troubleshooting DNS commands.
Technical Note: Hostname and Destination name in traffic and UTM logs in FortiOS
