FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff

Description

 

A FortiGate is able to display by both the GUI and via CLI.  This article explains how to display logs through CLI.


Solution

 

To display log records use command:
 
#execute log display
But it would be better to define a filter giving the logs you need and that the command above should return.
 
Set different types of log filter options, the number of results and from what point in the collected logs it is to start displaying.
 
First steps might be to check current filter settings, or reset/clear those:
 
#execute log filter reset
#execute log filter dump               <--- to show settings, example output bellow
category: traffic
device: disk
start-line: 1
view-lines: 10
max-checklines: 0
HA member:
log search mode: on-demand
pre-fetch-pages: 2
Oftp search string:
 
Next step is to set source of the logs:
 
#execute log filter device
Since FortiOS 6.2 those available devices contain following extended set:
(which is same for FortiOS versions 6.2 / 6.4 and 7.0 )
 
Example output (can be different if disk logging is available):
Available devices:
 
0: memory
1: disk
2: fortianalyzer
3: fortianalyzer-cloud              <--- added with FortiAnalyzer-cloud introduction
4: forticloud                       <--- moved one position down
 
Until FortiOS 6.2 listing was:
 
Example output (can be different if disk logging is available):
Available devices:
 
0: memory
1: disk
2: fortianalyzer
3: forticloud
 
#execute log filter device 0                                        <--- this will display logs from memory

 

Next step is to choose category of logs to display:
 
#execute log filter category
Available categories in FortiOS 7.0:

 .. are the same as in FortiOS 6.2 (listed bellow), but adds following new categories:
20: utm-icap
p
22: utm-sctp-filter
.. complete listing is:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter
Available categories in FortiOS 6.4:
 
 .. are the same as in FortiOS 6.2 (listed bellow), but adds following new category:
20: utm-icap
.. complete listing is:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
20: utm-icap
Available categories in FortiOS 6.2:

 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
19: utm-file-filter
Available categories in FortiOS 6.0:

 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
16: utm-ssh
Available categories in FortiOS 5.6:

 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns
Available categories in FortiOS 5.4:

 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
 
The default log filter configuration looks like below.
 
Note.
The following outputs might look different on different FortiGate models depending on the hardware/VM, or w/o internal disk storage:
 

FortiOS 7.0:

 

# show  full-configuration  log  memory  filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set gtp enable
end

FortiOS 6.4:

 

# show  full-configuration  log  memory  filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set gtp enable
    set filter ''
    set filter-type include
end
FortiOS 6.2:
 
# show  full-configuration  log  memory  filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set ssl enable
    set cifs enable
    set filter ''
    set filter-type include
end

FortiOS 6.0:

 

# show  full-configuration  log  memory  filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set ssh enable
    set filter ''
    set filter-type include
end

FortiOS 5.6:

 

# show  full-configuration  log  memory  filter
config log memory filter
    set severity warning
    set forward-traffic enable
    set local-traffic disable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set dns enable
    set filter ''
    set filter-type include
end

FortiOS 5.4:
The log filter a FortiGate has the following options:

 

# show  full-configuration  log  memory  filter
config log memory filter
    set severity information
    set forward-traffic enable
    set local-traffic enable
    set multicast-traffic enable
    set sniffer-traffic enable
    set anomaly enable
    set voip enable
    set filter ''
    set filter-type include
end

 

For example, by using the following log filters FortiGate will display all utm-webfilter logs with the destination ip address 40.85.78.63:

 

# execute log filter category 3       
# execute log filter field dstip 40.85.78.63
# execute log display

1 logs found.
1 logs returned.

1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Alternatively, by using the following log filters FortiGate will display all utm-webfilter logs with destination ip address 40.85.78.63 that are not from September 13, 2019:

 

# execute log filter free-style "(date 2019-09-13 not) and (dstip 40.85.78.63)"
1: date=2019-09-14 time=14:52:36 logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1568465556531146383 tz="+0200" policyid=1 sessionid=3190297 srcip=172.16.190.216 srcport=10806 srcintf="port3" srcintfrole="undefined" dstip=40.85.78.63 dstport=443 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTPS" hostname="wdcp.microsoft.com" profile="monitor-all" action="passthrough" reqtype="direct" url="/" sentbyte=197 rcvdbyte=3787 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"

Other examples of using the free-style log filter:

 

# execute log filter free-style "srcip 172.16.1.1"
# execute log filter free-style "(srcip 172.16.1.1) or (dstip 172.16.1.2)"
# execute log filter free-style "(srcip 172.16.1.1) and (dstip 172.16.1.2)"
# execute log filter free-style "((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

Also, it is possible to configure the following log filter commands:

 

# execute log  filter
category          Category.
device            Device to get log from.
dump              Dump current filter settings.
field             Filter by field. Specify from 1to 5 values value1 [value2 ... value5] [not]
Use not to reverse the condition.
Each value can be an individual value or a value range.
For value range, "-" is used to separate two values.
For example, 2013/06/13-2013/06/14 is for a date range from Jun 13, 2013 to Jun 14, 2013
free-style        Filter by free-style expression.
ha-member         HA member.
max-checklines    Maximum number of lines to check (maximum number of log entries that will be checked, 0 means all will be checked)
reset             Reset filter.
start-line        Start line to display (the log entry to start displaying from; so if set to 10, the 10th entry onward will be displayed)
view-lines        Lines per view (the number of log entries that will be displayed, default 10)

Also, it is possible to work with the logs - roll, backup, delete local logs, list log details like occupied space/date/time of the log and more:

 

# execute log
backup               Backup.
delete               Delete local logs of one category.
delete-all           Delete all local logs.
detail               Display UTM log entries for a particular traffic log.
display              Display filtered log entries.
filter               Set filters we discused here.
flush-cache          Write disk log cache of current category to disk in compressed format.
flush-cache-all      Write disk log cache of all categories to disk in compressed format.
fortianalyzer        FortiAnalyzer.
fortianalyzer-cloud  FortiAnalyzer-cloud.
fortiguard           FortiGuard.
list                 List current and rolled log files info.
raw-backup           Raw-backup.
roll                 Roll log files now.


Related KB articles: