Description
This article describes how to add internal hostname values on forward traffic logs.
Scope
All versions of FortiGate.
Solution
This article uses the following example of infrastructure:
The feature 'Device identification' on INETFW is not an option in this situation (since it is based on MAC address), meaning the device will only identify the ISFW MAC address.
The forward traffic logs do not contain the hostname field by default.
Source hostname and destination hostname will be available only if 'resolve-ip' is enabled under 'config log settings'.
# config log settings
set resolve-ip enable
end
The hostname is obtained through a reverse DNS lookup for the IP address of the destination.
Scenario 1 - FortiGate as DNS server.
Enabling the DNS server on the internal INETFW interface.
# config system dns-server
edit "port2"
set mode recursive
next
end
The following is the DNS server database configuration on INETFW. For each reverse resolution, create an IPv4 PTR entry.
# config system dns-database
edit "jfelix.fortinet"
set domain "jfelix.fortinet"
set authoritative disable
set forwarder "10.191.84.151"
config dns-entry
edit 1
set type PTR
set hostname "isfw"
set ip 10.200.0.2
next
end
next
end
On the forward traffic logs, it is possible to configure the table and add a column called 'Source Host Name'.
Scenario 2 - Windows as DNS server
If it is a Windows environment, FortiGate can perform the reverse lookup via the Windows DNS server.
Note that the reverse lookup zone needs to be created, as well as the necessary pointers (IP -> HOSTNAME).
The FortiGate system DNS should point to the internal servers.
It is possible to configure up to four DNS servers (primary, secondary, alt-primary (CLI), and alt-secondary (CLI)).
Ensure that the protocol used is the one configured on internal DNS servers (UDP/53, TCP/853, or TCP/443).
# config system DNS
set primary 96.45.45.45
set secondary 96.45.46.46
set alt-primary <DNS-Server_1>
set alt-secondary <DNS-Server_2>
set protocol <cleartext | dot | doh>
end
On the CLI, it is possible to validate the DNS cache for the process responsible for logging ('miglogd'):
# diagnose test application miglogd 27 <daemon_index>
Restarting the logging daemon will clear the DNS cache:
# fnsysctl killall miglogd
Note:
From v7.4 this column is called 'Host Name'.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.