Tuesday, August 9, 2016

Using Execute log filters to monitor firewall traffic

One cool function that's over looked in the firewall ( fortigate )

1: if you have logtraffic all enable on your firewall policies, you  can construct filters for traffic flows




2: and display just  traffic that has hit the define category and filter field(s)

3: speed up "traffic review" without  having to go to a remote logging appliance
  (  forticloud, FortiAnalyzer  remote-syslog )


Here's a simple example using just a policyid and the with the traffic category { # 0 }


Now if a match was found, we would have details similar to the below;




Here's a few of the filters that available under category #0 { traffic }

FWF50D (socpuppy) $ execute  log  filter  field 
Available fields:
timestamp
action
app
appact
appcat
appid
applist
apprisk
collectedemail
countapp
countav
countdlp
countemail
countips
countweb
craction
crlevel
crscore
custom
date
devid
devtype
dstcountry
dstintf
dstip
dstname
dstport
dstssid
dstuuid
duration
group
lanin
lanout
level
logid
mastersrcmac
msg
osname
osversion
policyid
poluuid
proto
rcvdbyte
rcvdpkt
sentbyte
sentpkt
service
sessionid
shaperdroprcvdbyte
shaperdropsentbyte
shaperperipdropbyte
shaperperipname
shaperrcvdname
shapersentname
srccountry
srcintf
srcip
srcmac
srcname
srcport
srcssid
srcuuid
subtype
time
trandisp
tranip
tranport
transip
transport
type
unauthuser
unauthusersource
user
utmaction
vd
vpn
vpntype
wanin
wanoptapptype
wanout


I find myself using the following options the most;

    dstip,srcip,policyid

Btw these are the same filters available in the FortiAnalyzer.

By using a string of filters you can easy obtain if traffic is matching and the action taken.


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment