Hi, totally newbie here. I came from Cisco background and just deployed my first 100E firewall. Great firewall and I am getting familiar with the firewall now.
My only gripe is that I cannot find any way to monitor traffic on the "outside" interface. No real time logs and no reports either. Fortigate is excellent showing me all sorts of log from the "inside" (web, antivirus, ips, dns, etc). But as for events on the "outside", I am clueless (feels like I am driving blind). I have called Fortigate support several times and they are somewhat surprised about my request and later concurred that there is no such "functionality".
Am I missing something here? Or is there really no way to monitor? Thanks in advance.
Hi, replying to my own thread here since no one has responded. Can someone confirm that it is not possible to have a log of external attacks?
I have managed firewalls for many years and every other vendor from Cisco to Sonicwall provides log to have some visibility of external connections. I have tried to enable syslog on the Fortigate, but again it only shows "internal" logs, nothing on "external" traffic.
Am I the only one who cares what is on the outside? Does't anyone want to have some visibility? It is a bit frustrating to say the least.
I'm not an expert at all, but a few questions, comments, and hopefully answers.
Are you looking at logs on a FortiGate, or using a FortiAnalyzer (best way to deal with Fortinet logs), and which firmware versions are you running? Can you give some specific examples of what you're looking for?
Do you have your Implicit Deny rule (bottom of the security policy rules) set to log?
If on a FortiGate, have you looked at Log & Report > Local Traffic, and filtered by Source Interface equal to one or all of your wan ports?
Beyond all that, it sounds like you want the logs related to local-in-policy (config firewall local-in-policy) which is what deals with direct access to the firewall. See https://forum.fortinet.com/tm.aspx?m=154480 for a discussion of this. Note the gotcha I ran into with this when my local-in-policy rules had the same IDs as "normal" security policies.
To log the local-in-policy logs:
config log setting
set local-in-allow enable
While you're in the "config log setting" section, type "set ?" to see some of the other options there, like local-in-deny-broadcast, etc.
Tanr, first of all thanks for taking time to reply.
To answer your questions....
1) I am looking at logs on Fortigate.
2) Yes the Implicit Deny rule at the bottom has the "Log violations" enabled.
3) The "Local traffic" log is empty.
4) Even under "Forti view" --> "Traffic from WAN" is empty.
What I am looking for is any traffic FROM the internet. For example "deny telnet from <external ip> to <firewall outside interface>". That's it....some log to assure me that yes, the fortigate is actively blocking external threats.
Before I replace my Cisco ASA with the Fortigate, I get logs (few hundreds a day) of external IP trying to connect to to my network using Telnet, port 80 and other TCP ports etc. Now....zero. No visibility....Honestly, right now I could create a policy to open up my LAN to the entire Internet and couldn't tell the difference.
Should have noticed you said you have the 100E. The 100E doesn't have local storage to store any logs, as far as I know. I think the newest 6.0.x firmware allows storing some logs to memory, but I'm not sure and wouldn't recommend 6.0.x for any production work anyway. If you instead have the 101E that model has local storage for logs.
Regardless, what do you seen when you go to the CLI and enter:
config log setting
Does it show that local-in-allow is enabled? If so, you should be generated some of those logs, and could at least send them to a syslog server.
You can try to set the outside interface to promiscuous mode by enabling one-arm sniffer mode for the interface. Fortigate can generate traffic log for sniffer mode (done by ipsengine libips.so) including enabling all utm profiles (av, dlp, webfilter, ips, app-ctrl, etc.). But ssl deep inspection or block page, and some operations are not possible.
I have D series FortiGates, which have local storage. I wish Fortinet hadn't decided to make the local storage an (expensive) option on the E series FortiGates. Like many others, I use a FortiAnalyzer to collect logs from a couple FortiGates and it is very useful, but if you're running a single small FortiGate local storage makes more sense to me. It's also extremely useful when you're first setting things up.
I believe you can log to the FortiCloud service as well, though I don't use it. The idea of logs in the cloud that I need to check when I'm having trouble connecting to the cloud seems problematic. But for non-connectivity problems it should work well. I believe you get a free FortiCloud account, though it doesn't include a lot of space for logs. So you might want to try it out to see if it works for you.
Though I generate and archive syslogs from the FortiGates and my other devices they are not nearly as useful as the logs on the FortiAnalyzer, especially as Fortinet has some non-standard fields (or at least they used to -- haven't checked in a while).
One note on the FortiAnalyzer is that I've always run into some problem with synchronization when looking at FortiView on the FortiGate, which should pull logs and data from the FortiAnalyzer, but doesn't always do it correctly. Likely something with my own config.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.