Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fittan
New Contributor

How to monitor attacks from the Internet?

Hi, totally newbie here. I came from Cisco background and just deployed my first 100E firewall. Great firewall and I am getting familiar with the firewall now. 

 

My only gripe is that I cannot find any way to monitor traffic on the "outside" interface. No real time logs and no reports either. Fortigate is excellent showing me all sorts of log from the "inside" (web, antivirus, ips, dns, etc). But as for events on the "outside", I am clueless (feels like I am driving blind). I have called Fortigate support several times and they are somewhat surprised about my request and later concurred that there is no such "functionality". 

 

Am I missing something here? Or is there really no way to monitor? Thanks in advance. 

16 REPLIES 16
fittan
New Contributor

Hi, replying to my own thread here since no one has responded. Can someone confirm that it is not possible to have a log of external attacks?

 

I have managed firewalls for many years and every other vendor from Cisco to Sonicwall provides log to have some visibility of external connections. I have tried to enable syslog on the Fortigate, but again it only shows "internal" logs, nothing on "external" traffic. 

 

Am I the only one who cares what is on the outside? Does't anyone want to have some visibility? It is a bit frustrating to say the least. 

 

 

fittan
New Contributor

68 views and no one can help? Can someone please answer:

 

1) Yes...you can view logs of traffic to your outside interface (i.e. external threat) or 

 

2) No...it cannot be done (and why would you want to do that). We are only concern with logging internal threats....external threats are not important.

tanr
Valued Contributor II

I'm not an expert at all, but a few questions, comments, and hopefully answers.

 

Are you looking at logs on a FortiGate, or using a FortiAnalyzer (best way to deal with Fortinet logs), and which firmware versions are you running?  Can you give some specific examples of what you're looking for?  

 

Do you have your Implicit Deny rule (bottom of the security policy rules) set to log?

If on a FortiGate, have you looked at Log & Report > Local Traffic, and filtered by Source Interface equal to one or all of your wan ports?

 

Beyond all that, it sounds like you want the logs related to local-in-policy (config firewall local-in-policy) which is what deals with direct access to the firewall.  See https://forum.fortinet.com/tm.aspx?m=154480 for a discussion of this.  Note the gotcha I ran into with this when my local-in-policy rules had the same IDs as "normal" security policies. 

 

To log the local-in-policy logs:

 

config log setting

  set local-in-allow enable

end

 

While you're in the "config log setting" section, type "set ?" to see some of the other options there, like local-in-deny-broadcast, etc.

 

Hope this helps.

fittan
New Contributor

Tanr, first of all thanks for taking time to reply.

 

To answer your questions....

1) I am looking at logs on Fortigate.

2) Yes the Implicit Deny rule at the bottom has the "Log violations" enabled.

3) The "Local traffic" log is empty.

4) Even under "Forti view" --> "Traffic from WAN" is empty. 

 

What I am looking for is any traffic FROM the internet. For example "deny telnet from <external ip> to <firewall outside interface>". That's it....some log to assure me that yes, the fortigate is actively blocking external threats.

 

Before I replace my Cisco ASA with the Fortigate, I get logs (few hundreds a day) of external IP trying to connect to to my network using Telnet, port 80 and other TCP ports etc. Now....zero. No visibility....Honestly, right now I could create a policy to open up my LAN to the entire Internet and couldn't tell the difference. 

 

 

tanr
Valued Contributor II

Should have noticed you said you have the 100E.  The 100E doesn't have local storage to store any logs, as far as I know.  I think the newest 6.0.x firmware allows storing some logs to memory, but I'm not sure and wouldn't recommend 6.0.x for any production work anyway.  If you instead have the 101E that model has local storage for logs.

 

Regardless, what do you seen when you go to the CLI and enter:

 

config log setting

  show full

 

Does it show that local-in-allow is enabled?  If so, you should be generated some of those logs, and could at least send them to a syslog server.

darwin_FTNT

You can try to set the outside interface to promiscuous mode by enabling one-arm sniffer mode for the interface.  Fortigate can generate traffic log for sniffer mode (done by ipsengine libips.so) including enabling all utm profiles (av, dlp, webfilter, ips, app-ctrl, etc.).  But ssl deep inspection or block page, and some operations are not possible.

fittan
New Contributor

Tanr, 

        My local-in-allow is currently disabled. I will enable it later and observe if it makes a difference.

 

        You're right that my 100E doesn't have local disk. I found that out when I couldn't find the "Threat map" link anywhere. When I saw this threat map during a google search I was quite "happy" as it shows external attacks being block on my Fortigate http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-fortiview-54/Consoles/Threat_Map.htm So I was more frustrated when told, because I don't have a local disk, this "feature" is not possible?!!?

 

        Does everyone Fortigate have local disk? I feel that I am the only one who is making a big fuss. Thanks Tanr for trying to help.

 

 

 

tanr
Valued Contributor II

I have D series FortiGates, which have local storage.  I wish Fortinet hadn't decided to make the local storage an (expensive) option on the E series FortiGates.  Like many others, I use a FortiAnalyzer to collect logs from a couple FortiGates and it is very useful, but if you're running a single small FortiGate local storage makes more sense to me.  It's also extremely useful when you're first setting things up.

 

I believe you can log to the FortiCloud service as well, though I don't use it.  The idea of logs in the cloud that I need to check when I'm having trouble connecting to the cloud seems problematic.  But for non-connectivity problems it should work well.  I believe you get a free FortiCloud account, though it doesn't include a lot of space for logs.  So you might want to try it out to see if it works for you.

 

Though I generate and archive syslogs from the FortiGates and my other devices they are not nearly as useful as the logs on the FortiAnalyzer, especially as Fortinet has some non-standard fields (or at least they used to -- haven't checked in a while).

 

One note on the FortiAnalyzer is that I've always run into some problem with synchronization when looking at FortiView on the FortiGate, which should pull logs and data from the FortiAnalyzer, but doesn't always do it correctly.  Likely something with my own config.

SS1982
New Contributor II

Use FortiAnalyzer is one of the best tool that can be use for what you want.

 

Regards

SS 

Labels
Top Kudoed Authors