Hi all,
Can anyone tell me the difference between traffic:forward and traffic:local in fortigate logs?
Also, what is utm:app-ctrl event?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @anjali
FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.
Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:
Hi @anjali
FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.
Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:
Hi kcheng,
Thank you for the reply!!
Is there any way to know which application is aasociated with utm-appctrl events.
Hi @anjali
Yes, you can view that in the Application Control profile page to check all the setting on the apps. If you are looking purely at the UTM logs, you should be able to find the application name in the log. For example, the following logs indicate that the connection is blocked due to Facebook being detected as the application (which was configured as blocked in the application control profile):
date=2022-07-05 time=16:54:16 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" eventtime=1657011256098547357 tz="+0800" appid=15832 srcip=x.x.x.x dstip=179.60.194.35 srcport=55923 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="SSL" direction="outgoing" policyid=1 sessionid=67984 applist="default" action="block" appcat="Social.Media" app="Facebook" hostname="facebook.com" incidentserialno=1894810992 url="/" msg="Social.Media: Facebook," apprisk="medium"
Hi @kcheng,
Here, I get local traffic events which were neither destined to fortigate IP nor the Source IP is of fortigate. Why it is happening?
Hi @anjali
Can you please paste the event log that you are seeing with regards to loca traffic events that were neither destined for FortiGate IP nor the Source IP is of FortiGate?
Can you please help us to understand below log where appcat="Proxy" app="Proxy.HTTP"
<134>date=2023-08-10 time=18:49:14 devname="XYZ" devid="ABC" logid="1059055707" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1691686154 appid=107977980 srcip=84.XX.XX.XX dstip=192.XXX.XXX.XXX srcport=47864 dstport=80 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=166 sessionid=605036148 applist="Block_RDP" appcat="Proxy" app="Proxy.HTTP" action="pass" crscore=10 crlevel="medium" hostname="google.com:443" incidentserialno=1990918280 url="/" msg="Proxy: Proxy.HTTP," apprisk="critical"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.