Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anjali
New Contributor II

Regarding Fortigate Events

Hi all,

Can anyone tell me the difference between traffic:forward and traffic:local in fortigate logs?

Also, what is utm:app-ctrl event?

1 Solution
kcheng
Staff
Staff

Hi @anjali 

 

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

 

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

6 REPLIES 6
kcheng
Staff
Staff

Hi @anjali 

 

FortiGate traffic:forward log is referring to traffic that passes through FortiGate. Technically it refers to traffic generated or destined to hosts hosted behind the FortiGate. On the other hand, traffic:local is referring to traffic that is either self-generated by FortiGate, or traffic destined to FortiGate itself. For example, accessing GUI of FortiGate will be recorded as traffic:local.

 

Last but not least, utm:app-ctrl event means that it is an event that is generated due to Application Control profile. Depending on the configuration of the firewall policy, it can be a violation of users trying to access an application that has not been permitted. You may also refer to the following document that list the log types:

https://docs.fortinet.com/document/fortigate/6.2.3/fortios-log-message-reference/160372/list-of-log-...

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
anjali
New Contributor II

Hi kcheng,

Thank you for the reply!!

Is there any way to know which application is aasociated with utm-appctrl events.

kcheng

Hi @anjali 

 

Yes, you can view that in the Application Control profile page to check all the setting on the apps. If you are looking purely at the UTM logs, you should be able to find the application name in the log. For example, the following logs indicate that the connection is blocked due to Facebook being detected as the application (which was configured as blocked in the application control profile):

date=2022-07-05 time=16:54:16 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" eventtime=1657011256098547357 tz="+0800" appid=15832 srcip=x.x.x.x dstip=179.60.194.35 srcport=55923 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="SSL" direction="outgoing" policyid=1 sessionid=67984 applist="default" action="block" appcat="Social.Media" app="Facebook" hostname="facebook.com" incidentserialno=1894810992 url="/" msg="Social.Media: Facebook," apprisk="medium"

 

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
anjali
New Contributor II

Hi @kcheng,

Here, I get local traffic events which were neither destined to fortigate IP nor the Source IP is of fortigate. Why it is happening?

kcheng

Hi @anjali 

 

Can you please paste the event log that you are seeing with regards to loca traffic events that were neither destined for FortiGate IP nor the Source IP is of FortiGate?

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
bipul
New Contributor

Can you please help us to understand below log where appcat="Proxy" app="Proxy.HTTP"

<134>date=2023-08-10 time=18:49:14 devname="XYZ" devid="ABC" logid="1059055707" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1691686154 appid=107977980 srcip=84.XX.XX.XX dstip=192.XXX.XXX.XXX srcport=47864 dstport=80 srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=166 sessionid=605036148 applist="Block_RDP" appcat="Proxy" app="Proxy.HTTP" action="pass" crscore=10 crlevel="medium" hostname="google.com:443" incidentserialno=1990918280 url="/" msg="Proxy: Proxy.HTTP," apprisk="critical"
Labels
Top Kudoed Authors