|
Make sure FortiGate's Syslog settings are correct before beginning the verification.
Technical Tip: How to configure syslog on FortiGate
For the traffic in question, the log is enabled.
Technical Tip: View historic SSL VPN user connectivity logs
Next, initiate a packet capture on the FortiGate to observe the traffic. Use the tool located under Network -> Packet Capture or Network -> Diagnostics -> Packet Capture, and enter the IP address or port number of the Syslog server using the Filter. See Troubleshooting Tip: Packet Capture on FortiOS GUI.
Run the following command in the CLI to collect the sniffer output for the Syslog server on port 514:
diagnose sniffer packet any "host x.x.x.x and port 514" 6 0 a
Replace x.x.x.x with the Syslog server IP address.
Run the following command to test sending the logs to the Syslog server:
diagnose log test
The default port is 514. However, in the example below, the Syslog server is configured on port 515:
As seen in the snippet of the packet capture below, tested a failed SSL VPN login with the username 'abcde' after initiating the capture. It is evident from the packet capture that FortiGate's specified port 515 was used to send logs to the Syslog server.
In the capture, it can be verified that the FortiGate is sending the logs out via the specified port and specified source IP, and the event log details can be viewed in the payload info of the packet.
Note:
If it is FortiGate VM deployed in AWS or any cloud platform, verify there is no restriction or block for the UDP 514 (default) and make sure to allow these services in the inbound as well as the outbound rules in AWS.
Related Articles:
Technical Tip: How to configure syslog on FortiGate
Technical Tip: How to perform a syslog and log test on a FortiGate with the 'diagnose log test' comm...
Technical Tip: View historic SSL VPN user connectivity logs
Troubleshooting Tip: Packet Capture on FortiOS GUI
|
