- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help to analyze log
Hello,
I'am new in FORTINET product. Could somebody help to analyze this log:
Message meets Alert condition
date=2018-05-02 time=14:25:40 devname=FGT60E4Q16012644 devid=FGT60E4Q16012644 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=195.14.185.150 srcport=53152 srcintf="wan1" dstip=195.14.160.210 dstport=8291 dstintf="internal" sessionid=622928 proto=6 action=deny policyid=0 policytype=policy dstcountry="Lithuania" srccountry="Lithuania" trandisp=dnat tranip=192.168.1.10 tranport=8291 service="tcp/8291" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Log says:
Source IP 195.14.185.150 is trying to communicate with Destination IP 195.14.160.210 and the destination port is 8291.
And the dst IP 195.14.160.210 has a NAT to 192.168.1.10.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And if not obvious it's denied. I would assume NO-POLICY or if you have a policy for that VIP it's installed incorrect or typo
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As you can see, the raw logs comprise of key/value pairs. For example, time=14:25:40 gives you the time that the traffic was captured at, devid=FGT60E4Q16012644 is the device ID of the Fortigate that captured the traffic etc.
The most interesting information really is the origin of the traffic (srcip=195.14.185.150 srcport=53152), the destination of the traffic (dstip=195.14.160.210 dstport=8291) and the action taken on the traffic (action=deny). srcintf="wan1" tells you that the traffic originated from the wan1 interface (which can help in troubleshooting). The rest should be self-explanatory.
I hope that helps.
NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI: TCP/8291 uses Mikrotik for router OS management.
