FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
serge_FTNT
Staff
Staff
Article Id 194606

Description

 

This article describes how to perform a syslog/log test and check the resulting log entries.

 

Scope

 

FortiGate.

 

Solution

 

It is possible to perform a log entry test from the FortiGate CLI using the 'diag log test' command. This will create various test log entries on the unit's hard drive, to a configured Syslog server, to a FortiAnalyzer device, to a WebTrends device, or to the unit's System Dashboard (System -> Status).

 

Example of output (output may vary depending on the FortiOS version):

 

fgt200a # diag log test

generating an allowed traffic message with level - warning
generating a system event message with level - warning
generating a HA event message with level - warning
generating a infected virus message with level - warning
generating a blocked virus message with level - warning
generating an attack detection message with level - warning
generating a blacklist email message with level - warning
generating a URL block message with level - warning

 

The following list of the various test log entries (output may vary depending on the FortiOS version) :

below one can see the output for categories that are highlighted in 'bold' case

 

FGT # execute log filter category
Available categories:
 0: traffic
 1: event
 
2: utm-virus
 3: utm-webfilte
r

 4: utm-ips
 5: utm-emailfilter
 7: anomaly
 8: voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: dns

 

Traffic (output from FortiOS 5.6.5).

 

FGTv5.6.5 # execute log filter category traffic

FGTv5.6.5 # execute log display

11: date=2018-07-26 time=16:51:36 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1532616695 srcip=7.1.1.1 srcport=10016 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" sessionid=10006 proto=6 action="accept" policyid=1 policytype="policy" service="tcp/20" dstcountry="France" srccountry="United States" trandisp="noop" appid=35421 app="Dropbox_File.Download" appcat="Storage.Backup" apprisk="medium" applist="default" duration=10 sentbyte=2000 rcvdbyte=1000 sentpkt=0 rcvdpkt=0 utmaction="allow" countapp=1 devtype="iPad" osname="Apple" osversion="ver" mastersrcmac="07:01:01:01:01:01" srcmac="07:01:01:01:01:01" srcserver=0 dstdevtype="Android Phone" dstosname="Android" dstosversion="ver" masterdstmac="02:02:02:02:02:02" dstmac="02:02:02:02:02:02" dstserver=0 utmref=65491-194

 

Event.

 

FGTv5.4 (SOUTH-WEB) # execute log filter category 1
FGTv5.4 (SOUTH-WEB) # execute log display
200 logs found.
10 logs returned

1: date=2018-07-26 time=17:24:25 logid=0107045056 type=event subtype=endpoint level=notice vd=SOUTH-WEB logdesc="FortiClient license limit reached" action=add status=error license_limit=10 reason="License Number Exceeded" repeat=1 msg="FortiClient license maximum has been reached."

2: date=2018-07-26 time=17:24:24 logid=0102043020 type=event subtype=user level=notice vd=SOUTH-WEB logdesc="FortiGuard override successful" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=success reason="reason" scope=user expiry="Sun Jan 11 02:00:00 1970" oldwprof="old_profile" profile="new_profile" msg="User user added webfilter override entry scope_data from 1.1.1.1"

3: date=2018-07-26 time=17:24:24 logid=0102043018 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override failed" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="User user failed authentication when creating a FortiGuard Web Filtering override from 1.1.1.1"

4: date=2018-07-26 time=17:24:24 logid=0102043019 type=event subtype=user level=warning vd=SOUTH-WEB logdesc="FortiGuard override table full" srcip=1.1.1.1 dstip=2.2.2.2 initiator=N/A status=failure reason="reason" msg="FortiGuard Web Filtering override table is full"

 

Web Filter (output from FortiOS 5.6.5).

 

FGT # execute log filter category 3
FGT # execute log display
4 logs found.
4 logs returned.


1: date=2018-07-26 time=17:25:59 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

2: date=2018-07-26 time=17:25:57 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532618757 policyid=1 sessionid=20000 user="user" group="group" srcip=1.1.1.1 srcport=20000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.xyz.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"

3: date=2018-07-26 time=16:51:36 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=30000 user="user" group="group" srcip=1.1.1.1 srcport=30000 srcintf="FEXT40D" srcintfrole="undefined" dstip=2.2.2.2 dstport=20 dstintf="dmz1" dstintfrole="dmz" proto=6 service="HTTP" hostname="www.abcd.com" action="blocked" reqtype="direct" url="/ww.abcd.com" sentbyte=0 rcvdbyte=0 direction="N/A" msg="URL belongs to a denied category in policy" method="ip" cat=26 catdesc="Malicious Websites" crscore=60 crlevel="high"

DNS:

 

FGT # execute log filter category dns

FGT # execute log display
2 logs found.
2 logs returned.

1: date=2018-07-26 time=17:25:59 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532618758 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

2: date=2018-07-26 time=16:51:36 logid="1501054400" type="dns" subtype="dns-response" level="warning" vd="root" eventtime=1532616697 policyid=1 sessionid=0 srcport=0 srcintf=unknown-0 srcintfrole="undefined" dstport=0 dstintf=unknown-0 dstintfrole="undefined" proto=17 profile="default" xid=0 qtype="INVALID" qtypeval=0 qclass="INVALID" msg="Domain was blocked because it is in the domain-filter list" action="block" domainfilteridx=0

Example:

 

Under the FortiGate:

 

SiteC-esx48 # diag log test 1 15 10 10 true 1692950676 0X0010 <----- To simulate a botnet the mask is set to 0X0010.

 

From the FortiAnalyzer side, it is possible to observe it from FortiView -> Threats.


botnet_test.png

 

 

SiteC-esx48 # diag log test  <----- Enter and all options are shown.
masks:
Virus: 0X0001
URL: 0X0002
DLP: 0X0004
IPS: 0X0008
BOTNET: 0X0010
ANOMALLY: 0X0020
APP: 0X0040
APP6: 0X0080
Deep App: 0X0100
Email: 0X0200
CR Web: 0X0400
SSH: 0X0800
SSL: 0X1000
diag log test <repeat> [<sleep-duration(milliseconds)> <# of srcip> <# of dstip> <gen-traffic-log> <seed> <masks>]
diag log test (repeat: 1) (sleep-duration(milliseconds): 10) (# of srcip: 10) (# of dstip: 10) (gen-traffic-log:True) (seed: 1692950676) (masks: ffffffff)
generating a system event message with level - warning
generating authentication event messages
1: generating an infected virus message with level - warning
1: generating a blocked virus message with level - warning
1: generating a URL block message with level - warning
1: generating a DLP message with level - warning
1: generating an IPS log message
1: generating an botnet log message
1: generating an anomaly log message
1: generating an application control IM message with level - information
1: generating an IPv6 application control IM message with level - information
1: generating deep application control logs with level - information
1: generating an antispam message with level - notification
1: generating a URL block message with level - warning
1: generating an ssh-command pass log with level - notification
1: generating an ssh-channel block with level - warning
1: generating an ssl-cert_blocklisted log with level - warning
1: generating FortiSwitch logs

 

In the Event logs, it will generate the below logs automatically:

image (8) (1).png

 

Related articles:

Technical Tip: Standard procedure to format a FortiGate Log Disk, log backup from disk

Technical Tip: How to download Logs from FortiGate GUI