About VPN EVENT LOG

Ryu-4 · ‎02-23-2025

About a year ago, we encountered VPN access that appeared to be using information from the account list we managed.

There are three types of targeted VPN users based on logs and token reception status via email.

・Email authentication applicable account
・Non-multifactor authentication account
・Deleted account　　

For accounts eligible for email authentication, token notification emails were received, but the logs for those users could not be confirmed.
For deleted users, SSL-login-fail logs were recorded.
For users with non-multifactor authentication, only tunnel-down logs due to timeout were recorded.

When checking the normal logs, tunnel-up and tunnel-down are set as a set, but for non-multifactor authentication users, only tunnel-down due to timeout was recorded in the log.

We inquired about this situation to the maintenance vendor, but they answered that due to the specifications, only tunnel-down is not recorded in the log.

However, the actual declared contents are recorded in the logs, and I am concerned about the logs of this product, so I decided to post it here to see if the logs can be tampered with or if there is anything that records only tunnel-down under certain conditions.

The product is Fortigate100E
OS I was using at the time was 6.4.13.

Stephen_G · ‎02-26-2025

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen - Fortinet Community Team

Ryu-4 · ‎02-28-2025

Thank you for your support.

Stephen_G · ‎03-04-2025

Hi Ryu-4,

Sorry, we're still trying to get you an answer or reply. In the meantime, if anyone viewing this topic has a possible answer, your input is welcomed.

Stephen - Fortinet Community Team

About VPN EVENT LOG

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website