Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

How to understand Fortianalyzer logs

I have a question in understanding certain FortiAnalyzer logs, ver 6.4.7. Webfilter blocks access to a certain webpage and categorises is as Phishing. When I tested access and checked logs in FortiView, found the problematic entry, doubleclicked and went on like that to Top Threats > Source > Log View, then I see four lines. The destination IP has been shown as Fortiguard's 208.91.112.55. But what is the meaning of the Destination Name column entries on each line? I see different domain names there but are they related to the current phishing attempt by the website (that is, these names have been taken from the specific attempt to visit thoes websites so the names are taken from my browser's http/s request) or are those entries random names which also point to the same Fortiguard IP if I had tried to access them? I need to know this to understand whether the specific website which may be acutally harmless is any way related to those Destination Name column entries or not.

 

I ask this because I've often seen from network logs (syslog) that the destination name is not only the result of a possible PTR-check but it looks like Fortigate gets this relation between an IP and domain name from somewhere else. Because I've often seen network logs with one and the same (internal or external) IP-address but the destination name is different. In some cases, this has been even useful to understand what else may point to that (external) IP-address since a single PTR-check doesn't reveal it (because it's a hosting IP that has many websites and uninformative PTR record).

4 REPLIES 4
AlexC-FTNT
Staff
Staff

Not sure I can help with an answer, but can you maybe paste a screenshot of the view you refer to in FortiView?
208.91.112.55 is the Fortinet block page.

It is possible that the source IP is resolved to a domain name and that shows as "Destination name"


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Debbie_FTNT
Staff
Staff

As Alex mentioned above, the IP 208.91.112.55 is a Fortinet-owned server providing a block page.

If DNS filtering is applied to a policy, then FortiGate redirects to this IP if the DNS filter decides to block the connection; the original intended hostname is resolved to this IP instead (serving the block page) and FortiGate should write a log with the original URL but Fortinet DNS portal IP.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
echo

We had to remove DNS-profile from everywhere few months ago because it started making problems out of nothing: name resolution got timeouts and only after several attempts it solved the name, sometimes quicker. And it wasn't that the router was running out of resources. Don't know when can I start testing to find the cause and start using DNS-profiles again. Currently I checked a log line from FAZ about phishing and it showed original IP as it had to. Destination name field also showed the same IP. I didn't see URL, only hostname and that part was most probably correct. If switching on DNS-profile only changes the IP to Fortiguard's but the rest will remain the same then it will be clear that the name information there has been taken from the original packet towards the phishing site.

AlexC-FTNT

the same question was probably asked here under different words:

https://community.fortinet.com/t5/Fortinet-Forum/Hostnames-in-FortiAnalyzer/m-p/95351?m=156950


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors