Packet Logging - Fortinet FortiGate Series Administration Manual

Intrusion Protection

Packet logging

Configuring packet logging
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Method Select Attacker's IP address to block all traffic sent from the attacker's IP
address. The attacker's IP address is also added to the banned user list. The
target's address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attacker's IP address to the target (victim's) IP address. Traffic from the
attacker's IP address to addresses other than the victim's IP address is
allowed. The attacker's and target's IP addresses are added to the banned
user list as one entry.
Select Attack's Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the
banned user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Exempt IP Enter IP addresses to exclude from the override. The override will then apply
to all IP addresses except those defined as exempt. The exempt IP
addresses are defined in pairs, with a source and destination, and traffic
moving from the source to the destination is exempt from the override.
Source The exempt source IP address. Enter
addresses.
Destination: The exempt destination IP address. Enter
destination IP addresses.
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
Packet logging saves the network packets containing an IPS signature to the attack log.
The FortiGate unit will save the logged packets to wherever the logs are configured to be
stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard
Analysis and Management Service.
You can enable packet logging only in signature overrides. It not an available option in
IPS sensors or filters because enabling packet logging on a large number of signatures
could produce an unusably large amount of data. Packet logging is designed as focused
diagnostic tool.
There are a number of CLI commands available to further configure packet logging. When
logging to memory, the packet-log-memory
of memory is used to store logged packets. This command only takes effect when logging
to memory.
Since only the packet containing the signature is sometimes not sufficient to troubleshoot
a problem, the packet-log-history
packets are captured when an IPS signature is found in a packet. If the value is set to
larger than , the packet containing the signature is saved in the packet log, as well as
1
those preceding it, with the total number of logged packets equalling the value. For
example, if packet-log-history
containing the IPS signature and the six before it.
0.0.0.0/0
0.0.0.0/0
command defines the maximum amount
command allows you to specify how many
is set to 7 , the FortiGate unit will save the packet
IPS sensors
to include all source IP
to include all
543