Checking logs within a FortiGate firewall via the command-line interface (CLI) is a crucial skill for network administrators and security professionals. The CLI offers direct access to the system, enabling real-time monitoring and in-depth troubleshooting.
Accessing the FortiGate CLI
To begin, establish a connection to the FortiGate CLI. Secure Shell (SSH) is the recommended method, providing an encrypted channel. Alternatively, a direct console connection can be used, typically via a serial cable.
Use an SSH client like PuTTY (Windows) or the built-in terminal (macOS/Linux) to connect to the FortiGate's management IP address. You will be prompted for a username and password. Authenticate using an account with appropriate administrative privileges (e.g., the 'admin' account or a custom account with 'read' and 'execute' permissions for system and log commands).
Once logged in, several commands are available to view logs. The primary command is execute log display.
Displaying the Last Few Log Entries
The command execute log display, without any arguments, displays the most recent log entries. The number of entries displayed depends on the FortiGate's configuration, usually a limited amount (e.g., the last 10 entries).
To specify the number of log entries to display, use the last option followed by the desired number. For example, execute log display last 50 will show the last 50 log entries.
Filtering Log Output
Filtering log output is essential for isolating specific events. The CLI provides several options for filtering.
For example, execute log filter category traffic will display only traffic-related log entries. Common categories include event, system, user, vpn, and webfilter.
For example, execute log filter severity critical will display only log entries with a critical severity level. It is important to note that severity levels are hierarchical: if you filter for 'critical', you will only see 'critical' level entries, and not, for example, 'emergency' or 'alert' level entries.
execute log filter device : Filters logs based on the Virtual Domain (VDOM) or device name.
This is particularly relevant in multi-VDOM environments. Use execute log filter device root to filter logs related to the root VDOM, or specify the name of another configured VDOM.
execute log filter field : Filters logs based on the content of a specific log field.
Fortigate Firewall Logs to Motadata | NMS
Examples include source IP address (srcip), destination IP address (dstip), source port (srcport), destination port (dstport), and username (user). For example, execute log filter field srcip 192.168.1.10 filters for logs originating from IP address 192.168.1.10.
Multiple filters can be combined to refine the log output. For example, to view all critical traffic logs from IP address 192.168.1.10, use the following sequence:
execute log filter category traffic
execute log filter severity critical
execute log filter field srcip 192.168.1.10
execute log display
To clear all filters, use the command execute log filter clear.
Searching Within Log Entries
To search for a specific string within the log entries, use the execute log filter field msg command.
For instance, execute log filter field msg "Failed login" will display logs containing the phrase "Failed login". Case sensitivity might apply depending on the FortiGate firmware version.
FortiGate | Logmanager documentation
Note: Excessive use of string searches can impact performance, especially on busy firewalls. It is best to use other filters to narrow down the search before applying the string filter.
Advanced Log Viewing
Real-Time Log Monitoring
For real-time log monitoring, use the command execute log tail. This command displays new log entries as they are generated. Press Ctrl+C to exit the tailing mode.
execute log tail supports the same filtering options as execute log display. For example, to tail only traffic logs with a severity of warning or higher, use:
execute log filter category traffic
execute log filter severity warning
execute log tail
Analyzing Log Fields
Each log entry contains multiple fields providing detailed information about the event. These fields vary depending on the log category and event type.
Common log fields include:
date: Date and time of the event.
eventtime: Timestamp of the event.
logid: Unique identifier for the log entry.
type: Log type (e.g., traffic, event, security).
subtype: Log subtype (e.g., policy, attack).
level: Severity level.
vd: Virtual Domain.
srcip: Source IP address.
dstip: Destination IP address.
srcport: Source port.
dstport: Destination port.
proto: Protocol (e.g., TCP, UDP, ICMP).
policyid: Policy ID that matched the traffic.
user: Username (if authentication is involved).
action: Action taken (e.g., accept, deny).
msg: Descriptive message about the event.
The get system status command can provide an overview of the system's health, including CPU and memory utilization, which can be relevant when analyzing log performance.
FortiGate CLI Configuration: How To Monitor And Troubleshoot Your
Log Storage and Rotation
The FortiGate stores logs internally on its hard drive or SSD. However, internal storage is typically limited. For long-term log retention and analysis, consider configuring remote logging to a FortiAnalyzer appliance, a syslog server, or a cloud-based SIEM (Security Information and Event Management) solution.
To check log settings use the command config log disk setting, and the show command to display the current configuration.
Log rotation is enabled by default to prevent the log disk from filling up. Older logs are automatically archived or deleted according to the configured retention policy. Use config log disk filter to configure which type of logs will be recorded.
Troubleshooting Log Viewing Issues
If you encounter issues viewing logs, consider the following:
Permissions: Ensure the user account has sufficient privileges to view logs.
Filters: Verify that filters are not inadvertently excluding the desired log entries. Use execute log filter clear to remove all filters and start with a clean slate.
Disk Space: Check the available disk space using the get system status command. If the disk is full, the FortiGate may not be able to write new logs.
Remote Logging: If remote logging is configured, verify that the remote server is reachable and functioning correctly.
Time Synchronization: Confirm that the FortiGate's system time is synchronized with a reliable NTP server. Incorrect timestamps can make it difficult to correlate log entries with other events.
Key Takeaways
The FortiGate CLI provides powerful tools for viewing and analyzing logs. Mastering these commands is essential for effective network security monitoring and troubleshooting.
Use execute log display to view recent log entries.
Apply filters (category, severity, device, field) to narrow down the log output.
Utilize execute log tail for real-time log monitoring.
Understand common log fields to extract relevant information.
Consider remote logging to a FortiAnalyzer or syslog server for long-term storage and analysis.
By leveraging the CLI's logging capabilities, administrators can gain valuable insights into network traffic, security events, and system behavior, enabling proactive threat detection and mitigation.
