Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
serfasit
New Contributor

Need help to analyze log

Hello,

I'am new in FORTINET product. Could somebody help to analyze this log:

 

Message meets Alert condition

date=2018-05-02 time=14:25:40 devname=FGT60E4Q16012644 devid=FGT60E4Q16012644 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=195.14.185.150 srcport=53152 srcintf="wan1" dstip=195.14.160.210 dstport=8291 dstintf="internal" sessionid=622928 proto=6 action=deny policyid=0 policytype=policy dstcountry="Lithuania" srccountry="Lithuania" trandisp=dnat tranip=192.168.1.10 tranport=8291 service="tcp/8291" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high

 

Thank you

4 REPLIES 4
jose_santana
New Contributor

The Log says:

Source IP 195.14.185.150 is trying to communicate with Destination IP 195.14.160.210 and the destination port is 8291.

And the dst IP 195.14.160.210 has a NAT to 192.168.1.10.

 

emnoc
Esteemed Contributor III

And if not obvious it's denied. I would assume NO-POLICY or if you have a policy for that VIP it's installed incorrect or typo

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Nicholas_Doropoulos
Contributor

Hello,

 

As you can see, the raw logs comprise of key/value pairs. For example, time=14:25:40 gives you the time that the traffic was captured at, devid=FGT60E4Q16012644 is the device ID of the Fortigate that captured the traffic etc. 

 

The most interesting information really is the origin of the traffic (srcip=195.14.185.150 srcport=53152), the destination of the traffic (dstip=195.14.160.210 dstport=8291) and the action taken on the traffic (action=deny). srcintf="wan1" tells you that the traffic originated from the wan1 interface (which can help in troubleshooting). The rest should be self-explanatory.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
Jirka1

FYI: TCP/8291 uses Mikrotik for router OS management. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors