Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff

Created on ‎12-23-2022 04:31 AM Edited on ‎10-26-2023 04:19 AM By Community Manager

Article Id 240743

Technical Tip: Add source hostname to forward traffic logs

Description

 

This article describes how to add internal hostname values on forward traffic logs.

 

Scope

 

All versions of FortiGate.

 

Solution

 

This article uses the following example of infrastructure:

 

jfelix09_0-1671795425214.png

 

The feature 'Device identification' on INETFW is not an option in this situation (since it is based on MAC address), meaning the device will only identify the ISFW MAC address.

The forward traffic logs do not contain the hostname field by default.

Source hostname and destination hostname will be available only if 'resolve-ip' is enabled under 'config log settings'.

 

# config log settings

set resolve-ip enable

end

 

The hostname is obtained through a reverse DNS lookup for the IP address of the destination.

 

Scenario 1 - FortiGate as DNS server.

 

Enabling the DNS server on the internal INETFW interface.

 

# config system dns-server

    edit "port2"

        set mode recursive

    next

end

 

The following is the DNS server database configuration on INETFW. For each reverse resolution, create an IPv4 PTR entry.

 

# config system dns-database

    edit "jfelix.fortinet"

        set domain "jfelix.fortinet"

  set authoritative disable

  set forwarder "10.191.84.151"

            config dns-entry

                edit 1

                    set type PTR

                    set hostname "isfw"

                    set ip 10.200.0.2

                next

            end

 next

end

 

jfelix09_2-1671795463394.png

 

jfelix09_3-1671795463395.png

 

On the forward traffic logs, it is possible to configure the table and add a column called 'Source Host Name'.

 

jfelix09_4-1671795463396.png

 

jfelix09_5-1671795463396.png

 

Scenario 2 - Windows as DNS server

 

If it is a Windows environment, FortiGate can perform the reverse lookup via the Windows DNS server.

Note that the reverse lookup zone needs to be created, as well as the necessary pointers (IP -> HOSTNAME).

 

jfelix09_6-1671795463397.png

 

The FortiGate system DNS should point to the internal servers.

It is possible to configure up to four DNS servers (primary, secondary, alt-primary (CLI), and alt-secondary (CLI)).

Ensure that the protocol used is the one configured on internal DNS servers (UDP/53, TCP/853, or TCP/443).

 

# config system DNS

    set primary 96.45.45.45

    set secondary 96.45.46.46

 set alt-primary <DNS-Server_1>

 set alt-secondary <DNS-Server_2>

 set protocol <cleartext | dot | doh>

end

 

jfelix09_7-1671795463398.png

 

On the CLI, it is possible to validate the DNS cache for the process responsible for logging ('miglogd'):

 

# diagnose test application miglogd 27 <daemon_index>

 

jfelix09_8-1671795463399.png

 

Restarting the logging daemon will clear the DNS cache:

 

# fnsysctl killall miglogd

 

Note:

From v7.4  this column is called 'Host Name'.

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-show-hostname-in-forward-traffic-lo...

https://community.fortinet.com/t5/FortiGate/Technical-Note-Hostname-and-Destination-name-in-traffic-...

3548
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.