Helpful ReplyHot!Strange syslog for Fortigate device

Author
BensonLEI
Silver Member
  • Total Posts : 85
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 21:08:14
  • Status: offline
2020/12/23 01:15:06 (permalink)
0

Strange syslog for Fortigate device

Hi, Guys,
 
We found some strange syslog as the following, we have not configured or defined these policies ?
Any recommendation to fix these problems:
 
uID : 5025117
Date : Today 03:46:51
Host : 10.16.9.6
Messagetype : Syslog
Facility : LOCAL7
Severity : ERR
Syslogtag : date=2020-12-23
Checksum : 0
Message time=03:46:50 devname="Forti400e_Fw02" devid="FG4H000000000004" logid="1501054200" type="utm" subtype="dns" eventtype="dns-response" level="error" vd="root" eventtime=1608709611360453548 tz="-0400" policyid=0 sessionid=0 srcport=0 srcintf="unknown0" srcintfrole="undefined" dstip=169.254.0.2
dstport=53 dstintf="unknown0" dstintfrole="undefined" proto=17 xid=47105 qname="login.microsoft.com
" qtype="A" qtypeval=1 qclass="IN" msg="A DNS resolution error occurs" action="pass" error="DNS query timeout"
 
 
 
Details for the syslog messages with id '5032066'
uID : 5032066
Date : Today 04:03:27
Host : 10.16.9.6
Messagetype : Syslog
Facility : LOCAL7
Severity : WARNING
Syslogtag : date=2020-12-23
Checksum : 0

Message time=04:03:27 devname="Forti400e_Fw02" devid="FG4H000000000005" logid="0113022923" type="event" subtype="sdwan" level="warning" vd="root" eventtime=1608710608185897467 tz="-0400" logdesc="Virtual WAN Link status" eventtype="Service" serviceid=3 service="To_01DC" msg="Service disabled caused by no outgoing path."
 
 
 
Many thanks
 
 
#1
Benoit_Rech_FTNT
Bronze Member
  • Total Posts : 51
  • Scores: 9
  • Reward points: 0
  • Joined: 2013/06/04 02:38:46
  • Location: Sophia Antipolis (France)
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/23 02:22:30 (permalink) ☄ Helpfulby BensonLEI 2020/12/23 18:11:32
0
Hello Benson,

this syslog is not related to firewall policy (we can see that is the syslog the policy-id is set to 0) but are generated by the system:
* first one: a DNS query haven't received a response
* second one: routing issue on SD-WAN, with on path unavailable.

There a some filter you can apply on syslog, and also configure filter on event.


#config log syslogd filter
# get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
anomaly : enable
voip : enable
gtp : enable
filter :
filter-type : include
 
and
 # config log eventfilter
 # get
event : enable
system : enable
vpn : enable
user : enable
router : enable
wireless-activity : enable
wan-opt : enable
endpoint : enable
ha : enable
security-rating : enable
fortiextender : enable
connector : enable
 
Best regards,
Benoit


#2
emnoc
Expert Member
  • Total Posts : 5979
  • Scores: 402
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/23 07:57:18 (permalink) ☄ Helpfulby BensonLEI 2020/12/23 18:20:13
0
OP
 
Also fortios has log reference  on their website that will give you inside details on log structure
 
e.g
 
https://docs.fortinet.com/document/fortigate/6.2.0/fortios-log-message-reference/656858/log-id-definitions
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#3
BensonLEI
Silver Member
  • Total Posts : 85
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 21:08:14
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/23 18:20:03 (permalink)
0
Hi, Benoit,
 
Thanks for your helpful information, questions for the second log event:
1.  It is "WARNING" level, it scares me.
2. The SDWAN zone is created for network traffic, but syslog "Service disabled caused by no outgoing path"; how to identify the root cause and fix it ?
 
Many thanks
 
#4
sw2090
Expert Member
  • Total Posts : 896
  • Scores: 68
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/28 00:09:56 (permalink)
0
looks to me as if the second one caused the first one ;)
 
sd-wan stopped working because of "no outgoing path". Sounds to me as if all wans were down at this time.
In consequence afterwards the DNS request to login.microsoft.com timed out because there was no internet available to resolve that.
 
Oh and Policy #0 exists by default and is the "drop anything that did not match any other policy" one :)
#5
emnoc
Expert Member
  • Total Posts : 5979
  • Scores: 402
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/28 06:07:25 (permalink)
0
I have to disagree the time=stamps are too far apart for those two log events to be even remotely related. The 1st one is surely web-filter or dlp related and  dns-resolution failure.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#6
BensonLEI
Silver Member
  • Total Posts : 85
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 21:08:14
  • Status: offline
Re: Strange syslog for Fortigate device 2020/12/29 00:42:16 (permalink)
0
Hi, Guys,
 
Thanks so much for your plenty of information... the first issue ( uID : 5025117 )  is found due to Fortigate DNS setting ( auto internet SLA detection ); hence no concern. 
 
#7
secfnd
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/02/18 11:24:57
  • Status: offline
Re: Strange syslog for Fortigate device 2021/02/18 11:26:35 (permalink)
0
Were you able to find resolution to second issue?  I'm dealing w/the same thing
#8
BensonLEI
Silver Member
  • Total Posts : 85
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 21:08:14
  • Status: offline
Re: Strange syslog for Fortigate device 2021/02/22 19:02:33 (permalink)
0
Hi, secfnd
 
You may check the system log for this issue
#9
Jump to:
© 2021 APG vNext Commercial Version 5.5