Fortinet black logo

Administration Guide

Security Fabric traffic log to UTM log correlation

Security Fabric traffic log to UTM log correlation

FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions/bandwidth together with its UTM threats. Within a single FortiGate, the correlation is performed by grouping logs with the same session IDs, source and destination IP addresses, and source and destination ports.

In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates. This means that the traffic logs did not have UTM related log fields, as they would on a single FortiGate. Different CSF members also have different session IDs, and NAT can hide or change the original source and destination IP addresses. Consequently, without a proper UTM reference, the FortiAnalyzer will fail to report UTM threats associated with the traffic.

This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

NAT translation is also considered when searching sources and destinations in both traffic and UTM logs. The FortiGate will generate a special traffic log to indicate the NAT IP addresses to the FortiAnalyzer within the CSF.

Traffic logs to DNS and SSH UTM references are also implement - the DNS and SSH counts in Log View can now be clicked on to open the related DNS and SSH UTM log. IPS logs in the UTM reference are processed for both their sources and destinations in the same order, and in the reverse order as the traffic log. The FortiGate log version indicator is expanded and used to make a correct search for related IPS logs for a traffic log.

This feature requires no special configuration. The FortiAnalyzer will check the traffic and UTM logs for all FortiGates that are in the same CSF cluster and create the UTM references between them.

To view the logs:
  1. On the FortiAnalyzer, go to Log View > Traffic.
    The UTM security event list, showing all related UTM events that can happen in another CSF member, is shown.
  2. Click the count beside a UTM event to open the related UTM event log window. In this example, the traffic log is from the CSF child FortiGate, and the UTM log is from the CSF root FortiGate.
    Screenshot displaying CSF created UTM reference
    Like other UTM logs, newly added DNS and SSH UTM references can also be shown in the FortiAnalyzer Log View. Clicking the count next to the DNS or SSH event opens the respective UTM log.
  3. Go to SOC > FortiView > Threats > Top Threats. All threats detected by any CSF member are shown.

    Screenshot displaying CSF FortiView Top Threats

  4. The created UTM reference is also transparent to the FortiGate when it gets its logs from the FortiAnalyzer. On the FortiGate, the traffic log shows UTM events and referred UTM logs from other CSF members, even though the FortiGate does not generate those UTM log fields in its traffic log. In this example, the CSF child FortiGate shows the referred UTM logs from the CSF root FortiGate.


Security Fabric traffic log to UTM log correlation

FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions/bandwidth together with its UTM threats. Within a single FortiGate, the correlation is performed by grouping logs with the same session IDs, source and destination IP addresses, and source and destination ports.

In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates. This means that the traffic logs did not have UTM related log fields, as they would on a single FortiGate. Different CSF members also have different session IDs, and NAT can hide or change the original source and destination IP addresses. Consequently, without a proper UTM reference, the FortiAnalyzer will fail to report UTM threats associated with the traffic.

This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

NAT translation is also considered when searching sources and destinations in both traffic and UTM logs. The FortiGate will generate a special traffic log to indicate the NAT IP addresses to the FortiAnalyzer within the CSF.

Traffic logs to DNS and SSH UTM references are also implement - the DNS and SSH counts in Log View can now be clicked on to open the related DNS and SSH UTM log. IPS logs in the UTM reference are processed for both their sources and destinations in the same order, and in the reverse order as the traffic log. The FortiGate log version indicator is expanded and used to make a correct search for related IPS logs for a traffic log.

This feature requires no special configuration. The FortiAnalyzer will check the traffic and UTM logs for all FortiGates that are in the same CSF cluster and create the UTM references between them.

To view the logs:
  1. On the FortiAnalyzer, go to Log View > Traffic.
    The UTM security event list, showing all related UTM events that can happen in another CSF member, is shown.
  2. Click the count beside a UTM event to open the related UTM event log window. In this example, the traffic log is from the CSF child FortiGate, and the UTM log is from the CSF root FortiGate.
    Screenshot displaying CSF created UTM reference
    Like other UTM logs, newly added DNS and SSH UTM references can also be shown in the FortiAnalyzer Log View. Clicking the count next to the DNS or SSH event opens the respective UTM log.
  3. Go to SOC > FortiView > Threats > Top Threats. All threats detected by any CSF member are shown.

    Screenshot displaying CSF FortiView Top Threats

  4. The created UTM reference is also transparent to the FortiGate when it gets its logs from the FortiAnalyzer. On the FortiGate, the traffic log shows UTM events and referred UTM logs from other CSF members, even though the FortiGate does not generate those UTM log fields in its traffic log. In this example, the CSF child FortiGate shows the referred UTM logs from the CSF root FortiGate.