Fortinet Community

anjali · ‎07-04-2022

Hi all,

Can anyone tell me the difference between traffic:forward and traffic:local in fortigate logs?

Also, what is utm:app-ctrl event?

kcheng · ‎07-04-2022

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-...

Cheers,
Kayzie Cheng

View solution in original post

kcheng · ‎07-04-2022

Hi @anjali

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-...

Cheers,
Kayzie Cheng

anjali · ‎07-05-2022

Hi kcheng,

Thank you for the reply!!

Is there any way to know which application is aasociated with utm-appctrl events.

kcheng · ‎07-05-2022

Hi @anjali

Yes, you can view that in the Application Control profile page to check all the setting on the apps. If you are looking purely at the UTM logs, you should be able to find the application name in the log. For example, the following logs indicate that the connection is blocked due to Facebook being detected as the application (which was configured as blocked in the application control profile):

date=2022-07-05 time=16:54:16 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" eventtime=1657011256098547357 tz="+0800" appid=15832 srcip=x.x.x.x dstip=179.60.194.35 srcport=55923 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="SSL" direction="outgoing" policyid=1 sessionid=67984 applist="default" action="block" appcat="Social.Media" app="Facebook" hostname="facebook.com" incidentserialno=1894810992 url="/" msg="Social.Media: Facebook," apprisk="medium"

Cheers,
Kayzie Cheng

anjali · ‎07-05-2022

Hi @kcheng,

Here, I get local traffic events which were neither destined to fortigate IP nor the Source IP is of fortigate. Why it is happening?

kcheng · ‎07-05-2022

Hi @anjali

Can you please paste the event log that you are seeing with regards to loca traffic events that were neither destined for FortiGate IP nor the Source IP is of FortiGate?

Cheers,
Kayzie Cheng

Fortinet Community

Regarding Fortigate Events