Skip to content

FortiOS UTM, Event, and Traffic

Fortigate is a line of firewall devices produced by Fortinet. FortiGate Next Generation Firewalls enable security-driven networking and consolidate industry-leading security capabilities such as intrusion prevention system (IPS), web filtering, secure sockets layer (SSL) inspection, and automated threat protection.

App Function

  • Normalize incoming event data
  • Set various user tags
  • Reformat the event message using all the key/value pairs present in the original message

Vendor Documentation

Log Source Details

Item Value
Vendor Fortinet
Device Type Fortigate firewalls
Collection Method Syslog
Configurable Log Output? no
Exceptions N/A

Logs can be generated by the following functions:

  • Traffic
  • Security: Antivirus
  • Security: Intrusion Prevention
  • Security: Application Control
  • Security: Web Filter
  • Security: DNS
  • Security: Data Leak Prevention
  • Security: Email Filter
  • Security: Web Application Firewall
  • Security: Vulnerability Scan
  • Security: VoIP
  • Security: FortiClient
  • Event: Endpoint
  • Event: HA
  • Event: Compliance
  • Event: System
  • Event: Router
  • Event: VPN
  • Event: User
  • Event: WAN Opt.
  • Event: Cache
  • Event: WiFi

Incoming Log Format

The incoming log messages are comprised of key/value pairs, each key/value separated by = and each pair separated by space. The keys are not denoted by quotes, but some (and only some) of the values are. See the bottom for example log messages. Log messages are generated for many different event types, and each event type produces distinct and differing keys -- some keys are common to different event types, whereas some keys are unique to other event types.

Parsed Metadata Fields

The following fields (keys) are tagged. Note that the user tag name is the same as the field key name.

Removed Tagged Field Tag Name Example
date 2019-05-13
time 11:45:03
eventtime 1557513467369913239
logtime 1557513467369913239
action action close
addr addr (n/a)
agent agent curl/7.47.0
alert alert (n/a)
analyticssubmit analyticssubmit false
app app HTTP.BROWSER_Firefox
appcat appcat Web.Client
appid appid 40568
applist applist g-default
apprisk apprisk elevated
apscan apscan (n/a)
attack attack (n/a)
auditscore auditscore (n/a)
authproto authproto TELNET(
catdesc catdesc Malicious Websites
cfgobj cfgobj (n/a)
channeltype channeltype shell
connection_type connection_type (n/a)
countapp countapp 1
crlevel crlevel critical
desc desc (n/a)
detectionmethod detectionmethod (n/a)
devid devid FGVM02Q105060010
devtype devtype Linux PC
dir dir (n/a)
direction direction incoming
dlpextra dlpextra (n/a)
dstcountry dstcountry Canada
dstintf dstintf port11
dstintfrole dstintfrole undefined
dtype dtype Virus
encryption encryption (n/a)
eventtype eventtype infected
filtercat filtercat (n/a)
filtername filtername (n/a)
filtertype filtertype (n/a)
group group local-group1
ha_role ha_role (n/a)
icmpcode icmpcode (n/a)
icmpid icmpid (n/a)
icmptype icmptype (n/a)
init init (n/a)
interface interface port10
level level notice
license_limit license_limit (n/a)
logdesc logdesc Routing log
login login root
manuf manuf (n/a)
mastersrcmac mastersrcmac a2:e9:00:ec:40:01
method method domain
mode mode (n/a)
msg msg OSPF: RECV[Hello]: From via port9: Invalid Area ID
name name (n/a)
netid netid (n/a)
onwire onwire (n/a)
osname osname Ubuntu
outintf outintf (n/a)
policyid policyid 1
poluuid poluuid 707a0d88-c972-51e7-bbc7-4d421660557b
policytype policytype policy
polmode polmode learn
poluuid poluuid 707a0d88-c972-51e7-bbc7-4d421660557b
profile profile g-default
proto proto 6
qclass qclass (n/a)
qtype qtype (n/a)
quarskip quarskip File-was-not-quarantined.
radioband radioband (n/a)
rcvdbyte rcvdbyte 39898
rcvdpkt rcvdpkt 37
reason reason malformed input
reqtype reqtype direct
result result (n/a)
role role (n/a)
security security (n/a)
service service HTTP
sentbyte sentbyte 1850
sentpkt sentpkt 25
sessionid sessionid 8058
severity fortigate_severity (n/a)
sndetected sndetected (n/a)
srccountry srccountry Reserved
srcintf srcintf port12
srcintfrole srcintfrole undefined
srcmac srcmac a2:e9:00:ec:40:01
srcname srcname pc1
srcserver srcserver 0
service service HTTPS
ssid ssid (n/a)
stamac stamac (n/a)
status status success
subtype subtype forward
trandisp trandisp snat
transip transip
transport trandisp 40772
type fortigate_type traffic
ui ui (n/a)
user user bob
utmaction utmaction allow
utmref utmref 0-220586
vcluster_state vcluster_state (n/a)
vd vd vdom1
virus virus EICAR_TEST_FILE
vpntunnel vpntunnel (n/a)
xauthgroup xauthgroup (n/a)
xauthuser xauthuser (n/a)

High-Cardinality (HC) Tags

  • SrcIP
  • DstIP

Example Logs

Block SSL Traffic

action="blocked" dstintf="unknown-0" dstintfrole="undefined"
dstip="" dstport="8080" eventtype="ssl-anomalies"
level="warning" logid="1700062053" msg="Connection is blocked due
to unsupported SSL traffic" policyid="1"
profile="block-unsupported-ssl" proto="6" reason="malformed input"
service="SMTPS" sessionid="11424" srcintf="port2"
srcintfrole="undefined" srcip="" srcport="41296"
subtype="ssl" type="utm" vd="vdom1"

Successful Authentication

date=2019-05-13 time=15:55:56 logid="0102043008" type="event"
subtype="user" level="notice" vd="root" eventtime=1557788156913809277
logdesc="Authentication success" srcip= dstip=
policyid=1 interface="port10" user="bob" group="local-group1"
authproto="TELNET(" action="authentication"
status="success" reason="N/A" msg="User bob succeeded in

Web Access Denied

date=2019-05-13 time=16:29:45 logid="0316013056" type="utm"
subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1"
eventtime=1557790184975119738 policyid=1 sessionid=381780
srcip= srcport=44258 srcintf="port12"
srcintfrole="undefined" dstip= dstport=80
dstintf="port11" dstintfrole="undefined" proto=6 service="HTTP"
hostname="" profile="test-webfilter"
action="blocked" reqtype="direct" url="/" sentbyte=84 rcvdbyte=0
direction="outgoing" msg="URL belongs to a denied category in policy"
method="domain" cat=26 catdesc="Malicious Websites" crscore=30
craction=4194304 crlevel="high"

Fortigate Configuration

Fortigate should be configured as follows - Note that Local Traffic Log must be enabled.

Fortigate Configuration