Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

View fortigate AV and IPS logs

Hi,

What I'm simply looking for is to see logs (detailed and meaningful logs) about Fortigate viruses and attacks detected by rules where IPS and AV are enabled in security profile. For now, with logs on memory (via live GUI or console CLI not using any solution like Fortianalyzer).

With logging enabled on an Internet-facing firewall, I expect to see a lot of IPS logs pointing to a specific attack. Also, I expect to see files being blocked by AV engine (A simple test including downloading a sample virus file from Internet will suffice)

 

At the time being, I cannot see any logs in GUI except rules logs. Should I configure any additional settings on logs? use 3rd party and remote logging? enable SSL inspection with custom settings for both outgoing and incoming traffic? or ......

 

Regards,

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
1 Solution
sjoshi
Staff
Staff

Hi mhdganji,

 

Thank you for posting to the Fortinet Community Forum.

 

From you problem description you are not able to see the relevant AV & IPS logs in the FGT GUI.

 

You can go to Log & Reports> Antivirus
Similarly, for IPS Log & Reports> Intrusion Prevention
There you can find the AV & IPS logs

 

Also it is recommended to do the following changes.

 

config antivirus profile
edit <av_profilename>
set extended-log enable
set av-virus-log en
set av-block-log en

 

config ips sensor
edit <ips_name>
set extended-log enable

 

Also whenever you are selecting filter/signatures in IPS entries make sure to enable packet logging.
Post the following changes you should be able to get the relevant logs
Also if you used deep inspection in the policy then the signature has higher chances of catching the virus because with deep inspection the whole payload scanning will be done.

Let us know if this helps.

Thanks

Let us know if this helps.
Salon Raj Joshi

View solution in original post

6 REPLIES 6
vponmuniraj
Staff
Staff

Hi, 

 

Are you able to simulate / test with any tool & check if logs are visible? 

 

Depending on the services being accessed you might need a deep inspection SSL profile to catch the attacks. 

 

 

Regards,

Vignesh
Rathan_FTNT
Staff
Staff

Hello,


If you require a sample, or safe virus to test your FortiGate configuration, visit the URL below to obtain an EICAR (European Institute for Computer Antivirus Research) test file.

http://www.eicar.org/anti_virus_test_file.htm
download the sample file in test PC and as per design the fortigate should block the virus

1> Set log severity to information
<if its memory logging >
#config log memory fileter
#set severity information
end

2> You have to enable log all sessions in the policy

3> you can geneterate a test log by executing the below command
#diag log test

 

EMEA TAC Engineer
sjoshi
Staff
Staff

Hi mhdganji,

 

Thank you for posting to the Fortinet Community Forum.

 

From you problem description you are not able to see the relevant AV & IPS logs in the FGT GUI.

 

You can go to Log & Reports> Antivirus
Similarly, for IPS Log & Reports> Intrusion Prevention
There you can find the AV & IPS logs

 

Also it is recommended to do the following changes.

 

config antivirus profile
edit <av_profilename>
set extended-log enable
set av-virus-log en
set av-block-log en

 

config ips sensor
edit <ips_name>
set extended-log enable

 

Also whenever you are selecting filter/signatures in IPS entries make sure to enable packet logging.
Post the following changes you should be able to get the relevant logs
Also if you used deep inspection in the policy then the signature has higher chances of catching the virus because with deep inspection the whole payload scanning will be done.

Let us know if this helps.

Thanks

Let us know if this helps.
Salon Raj Joshi
Muhammad_Haiqal

Hi there,

Please run command:
Diag log test

 

To see if you can see any dummy logs there.
If not, please run below config:

config log memory filter

set severity information

end

 

and run the diag log test again.

haiqal
mhdganji
Contributor II

Thanks so much to all. I will test these and at the very first, I should setup SSL inspection for outgoing traffic on my device. I will post the results in a few days.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mhdganji
Contributor II

I set up SSL deep inspection and now am able to find the viruses in https links too, but, while testing this with TekDefense.com (http://www.tekdefense.com/downloads/malware-samples/)

some files are recognized nut some not. For instance:

 

This one is recognized and blocked

http://www.tekdefense.com/downloads/malware-samples/malz4.zip

 

but these are downloaded and not blocked

http://www.tekdefense.com/downloads/malware-samples/malz5.zip

http://www.tekdefense.com/downloads/malware-samples/yitaly.exe.zip

 

I'm using the firewall in proxy mode (provides Internet to users via web proxy) and the mail policy rule to provide internet is proxy based.

 

Would you please give me hints what is the root cause? size of file? types of viruses? type of files or?

 

Regards,

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors