Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
serfasit
New Contributor

Created on ‎05-02-2018 05:35 AM

Need help to analyze log

Hello,

I'am new in FORTINET product. Could somebody help to analyze this log:

 

Message meets Alert condition

date=2018-05-02 time=14:25:40 devname=FGT60E4Q16012644 devid=FGT60E4Q16012644 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=195.14.185.150 srcport=53152 srcintf="wan1" dstip=195.14.160.210 dstport=8291 dstintf="internal" sessionid=622928 proto=6 action=deny policyid=0 policytype=policy dstcountry="Lithuania" srccountry="Lithuania" trandisp=dnat tranip=192.168.1.10 tranport=8291 service="tcp/8291" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high

 

Thank you

7367
0 Kudos
4 REPLIES 4
jose_santana
New Contributor

Created on ‎05-09-2018 09:36 AM

The Log says:

Source IP 195.14.185.150 is trying to communicate with Destination IP 195.14.160.210 and the destination port is 8291.

And the dst IP 195.14.160.210 has a NAT to 192.168.1.10.

 

3076
0 Kudos
emnoc
Esteemed Contributor III
In response to jose_santana

Created on ‎05-09-2018 10:35 AM

And if not obvious it's denied. I would assume NO-POLICY or if you have a policy for that VIP it's installed incorrect or typo

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3076
0 Kudos
Nicholas_Doropoulos
Contributor

Created on ‎05-30-2018 01:07 PM

Hello,

 

As you can see, the raw logs comprise of key/value pairs. For example, time=14:25:40 gives you the time that the traffic was captured at, devid=FGT60E4Q16012644 is the device ID of the Fortigate that captured the traffic etc. 

 

The most interesting information really is the origin of the traffic (srcip=195.14.185.150 srcport=53152), the destination of the traffic (dstip=195.14.160.210 dstport=8291) and the action taken on the traffic (action=deny). srcintf="wan1" tells you that the traffic originated from the wan1 interface (which can help in troubleshooting). The rest should be self-explanatory.

 

I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
3076
0 Kudos
Jirka1
Contributor III
In response to Nicholas_Doropoulos

Created on ‎05-31-2018 01:02 AM

FYI: TCP/8291 uses Mikrotik for router OS management. 

3076
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.