Hi!
My scheme
HP 2530-24G switch with configured mirror port. Fortigate 100D connected to this port.
On the Fortigate I configured lan port as One-Arm Sniffer and check
Include Non-IP Packets
and Log Allowed Traffic All Sessions
no Secuity profiles enabled
In this situation there are no logs in the Sniffer Traffic section of the Log&Report
If I enable some Security Profile I can see some logs then. But I want log all sessions. Not filter it by applications or something else.
Is it possible to achieve?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I haven't done but this cookbook says how to do it with FortiAnalyzer including traffic log.
If it's doable with FortiAnalyzer, I would assume the same goes for FortiCloud. Based on CLI "config log fortiguard" for FortiCloud, it seems to have same/similar log setting capability with "config log fortianalyzer".
In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so). So have to enable flow-based utm that will startup the process ipsengine. One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on. Kernel done very limited processing on packets when in sniffer mode. Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.
In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd. You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty. Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.
Currently, the gui doesn't fully support all the statistics gathered in sniffer mode but should be gradually implemented overtime.
darwin wrote:In one-arm sniffer mode, the traffic log is generated by ipsengine daemon (which is a wrapper for libips.so). So have to enable flow-based utm that will startup the process ipsengine. One-arm sniffer mode is mainly for ips originally but generating traffic log was added later on. Kernel done very limited processing on packets when in sniffer mode. Also in sniffer mode, packets can't be blocked but only logged as this is a read-only network operation.
its completely ok, I just need to log traffic from mirror port, nothing need to be blocked
so what is your advice: turn on ipflow generator and use Fortigate as flow collector? if yes, the how to configure it on the device?
As far as I understand, its not possible to log clear sniffer traffic (means just source-destination ip sessions)?
thanks
darwin wrote:In normal firewall policy, the sessions are handled by kernel and the traffic log is sent by kernel to miglogd. You can verify this by doing 'diag sys session list' in one-arm sniffer mode and the kernel sessions are empty. Traffic logs could be generated by kernel and also proxy daemon if the sessions are managed by them.
looks like its not for me, cause I'm not using Fortigate as firewall device, just monitoring (for now)
Traffic log contains a session summary. Utm event logs contains a bit more details triggered per event for a single session. E.g., for app-control, it could displays ssl certificate issuer, detected app name. For webfilter utm profile, it displays the host and url if log-all is enabled in the profile. For IPS, can also enable logging of pre/post packets during detected attack (see IPS utm profile details in CLI). The traffic logs and utm logs are both linked together by session id or serial (unique per session but could reset if rebooted as this is a incremental global counter only starting from 1). You can filter by fields. To view these logs in CLI, do:
# execute log filter category Available categories: 0: traffic 1: event 2: utm-virus 3: utm-webfilter 4: utm-ips 5: utm-emailfilter 7: anomaly 8: voip 9: utm-dlp 10: utm-app-ctrl 12: utm-waf 14: gtp 15: dns
To enable one-arm sniffer mode on an interface:
# config system interface
(interface) # edit port1
(port1) # set ips-sniffer-mode enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.