Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
user2345312
New Contributor

How can I make FortiOS 7.0.2 send the network layer 7 fields?

I understand that FortiOS 7.0.2 can log network layer 7 information.
I have a test log in which the "agent" field does not appear and the documentation tells me that it should appear.

What is the reason for this, do I have to activate something in the configuration?

 

Example of log:

 

<189>date=2021-12-15 time=18:09:07 eventtime=1639588147226172770 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" dstintf="Servers" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=32503323 proto=17 action="accept" policyid=7 policytype="policy" 

 

user2345312_0-1639588339664.png

I understand that if it is in the documentation it can be activated so that it appears, right?

 

Regards!!!

 

1 REPLY 1
darwin_FTNT
Staff
Staff

The agent field doesn't belong to the traffic log. Instead, it appears in webfilter log, IPS log or antivirus log, dlp log, etc. (all utm logs).  It only appears when the triggered utm detection at that time have the agent info.  e.g., if the utm detection log is botnet utm log, then there is no agent info as it is blocked immediately on access. 

A session can only generate a single traffic log and it is generated only when the session ends (so that the total traffic for the session is known).  Each session can generate multiple utm logs though.  Can correlate these utm logs with the single traffic log thru the session id or serial.  A utm log always has a session context which triggered the security event.  But not all traffic log have security utm events logs.

Also each session has a policy id whether the session is allowed or blocked whenever the session is initially created.  The utm logs then follow later depending on the traffic type generated by the session.

 

To have the agent field appear most of the time, it is recommended to apply a webfilter utm profile to a policy.  Then in the webfilter profile, enable the log-all url option.  Then most http/https websites should have the agent field logged.

These traffic logs or utm logs can be viewed from the CLI or GUI. In CLI:

 

FGVM32 # execute log filter category

Available categories:
0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
21: utm-ztna
22: utm-sctp-filter

FGVM32 # execute log filter category 3

FGVM32 # execute log display

0 logs found.
0 logs returned.