Here is the 2nd Tutorial that i created, hope you enjoy this one too.
Logging and Alerts
[singlepic id=3 w=320 h=240 float=]
Fortigate can store its logs in the following:
1. Local HDD – this option can be enabled from the CLI
2. FortiAnalyzer – this is my favorite. It is a device to which Fortigate sends all the logs and then you can create pretty reports.
This option can be enabled by providing the IP of the FortiAnalyzer(FA) or by using “Automatic Discovery”, but for the automatic discovery you will need to have the FA in the same subnet as the Fortigate.
The traffic to the FortiAnalyzer can be sent through Syslog(UDP 514) or by TCP 514 (OFTP). The OFTP is used to transfer “content archive” and to remotely view the log files and reports
3. System Memory – i do not recommend you to do this, as this will consume a lot of CPU and Memory and you will also have a small log file(the 1st logs are deleted as the memory gets full). Also remember, Memory is VOLATILE so that means if the FG reboots you will loose all your logs.
4. Syslog – captures Traffic, Events, VoIP, AntiSpam, AntiVirus and Attack logs. This option does NOT support “Content Archive logs”.
5. Fortiguard Analysis Service
This is a subscription based service that provides web-based logging an reporting solution. This basically means that Fortinet will store your logs for you. This is not ideal if your business handles important and sensitive stuff(i know we all have important stuff 😉 ).
Another advantage of using FortiAnalyzer is that the Fortigate can support up to 3 FA/Syslog devices for logging. This option is only available from the CLI.
I mentioned Content Archive so it is normal to explain what this means.
Content Archiving feature lets you store session transaction data on an offline storage(FortiAnalyzer). The following network traffic is stored:
4. IM (Yahoo, ICQ, MSN, AIM)
5. Email (POP3, IMAP, SMTP)
This feature is ONLY available when you are using a FortiAnalyzer. When using Fortiguard Analysis Server, only content summary of the logs are stored.
To enabled the Content Archiving feature you must use DLP rules that we will talk in the upcomming tutorials.
Hope this helped you.
See you on the next tutorial,