fortinet

7 Key Configurations To Optimize Fortinet FortiGate's Logging and Reporting

by

Scott Glew

Scott Glew

Since its release almost one year ago, Fastvue Reporter for FortiGate is now actively assisting Fortinet customers with improved visibility into their organization's internet and network usage on almost every continent across the globe (come on Antarctica!).

Fastvue Reporter for FortiGate Downloads - May 2020

During this time, we've spoken to many customers and have identified some key configuration options that greatly improves Fortinet FortiGate's logging and reporting, providing better visibility into user internet usage and how your network is operating.

Here are the seven most important configuration options you should perform on your FortiGate to improve the detail and visibility of the reports and alerts from Fastvue Reporter for FortiGate.

1. Enable Web Filtering

First of all, make sure your outbound web policies have Web Filtering enabled, and that your web filter profile has a healthy mix of allowed, blocked and warned sites.

Without web filtering enabled, your FortiGate will not log the URL or the category of websites people are visiting. As most reports in Fastvue Reporter for FortiGate show information about internet usage activity, the web filter logs are critical.

2. Enable Referrer URL and Extended Logging

One of the major inputs to Fastvue’s Site Clean engine is the referer URL field in Fortinet FortiGate's web filter logs. Imagine a web page with 100 images on it with each of those images embedded directly from different domains / websites. The referrer URL tells Fastvue Reporter what web page the images were on, rather than the image's actual URL which will be from a strange website you never directly visited. With modern web pages serving content from Content Delivery Networks and other services, the referrer URL plays a very important part in showing the 'real' website a person was visiting.

The logging of referrer URLs was introduced in FortiOS 5.4, and FortiOS 6.0 introduced ‘extended logging’ that adds other useful HTTP headers to the logs. Unfortunately, you need to enable these features manually via the Fortinet FortiGate CLI for each web filter profile that you have.

config webfilter profile
edit {Name of your profile}
set log-all-url enable
set web-filter-referer-log enable
set extended-log enable
set web-extended-all-action-log enable
end

Repeat for all web filter profiles you need to report on.

3. Enable Deep SSL Inspection

The lack of Deep SSL Inspection is the main reason why you're not seeing any Search Terms or YouTube videos in your reports, or why you see a website you did not visit in the reports. Without Deep SSL Inspection enabled, referrer URLs for HTTPS websites will not be logged, and only the domain portion of a URL will be logged (e.g. www.google.com, but not www.google.com/search?q=my+search+term).

Fortinet FortiGate Deep SSL Inspection

Unfortunately, deep SSL inspection is often viewed as a pain to set up or deploy, but be aware that enabling deep SSL Inspection is not just required for better reporting. With the advent of Lets Encrypt making SSL certificates available for free, it is now easier than ever for a bad actor to spin up a HTTPS website, host malware on it and direct traffic to the site with a variety of methods such as Phishing, Malvertising, URL injections, malicious redirects etc. Without Deep SSL Inspection, that malware will sail straight through your firewall.

"A HTTPS / SSL website should not be confused with a 'safe' website!"

For more information, please see our article on how to enable Deep SSL Inspection in Fortinet FortiGate, including information on how to check if Deep SSL Inspection is working on specific websites.

4. Authenticate Users

Fastvue Reporter for FortiGate enables easy reporting on Users, Departments, Offices, and Security Groups as defined in Active Directory.

However, Fastvue Reporter for FortiGate can only show usernames if they exist in the log data sent to the Fastvue server from the FortiGate. This only happens when your FortiGate is authenticating users. 

Any authentication method that authenticates against your Active Directory server will do, but we recommend AD SSO. See Fortinet's documentation - Single sign-on to Windows AD.

You can see if your FortiGate is correctly authenticating users by checking the on-box live log. Go to Log and Report | Web Filter and make sure the Username field is visible. If the Username column is blank then FortiGate is not authenticating your web traffic.

Fortinet FortiGate No Authentication

To understand what Fastvue Reporter shows as Users when your FortiGate is not authenticating traffic, see Understanding How Fastvue Reporter shows Users (or hostnames or IP addresses).

Once usernames are logged by FortiGate, Fastvue Reporter can match them to their User object in Active Directory. You can then utilize other features such as Department and Security Group reporting (See How do I send reports to Department Managers?).

5. Resolve Hostnames and Applications

There are situations where authenticating traffic is not an option. Perhaps you have an open guest network or need to allow Windows Updates to sail through the FortiGate without authentication issues getting in the way. In these situations, it is good to know the device name or application as the next best option.

Right at the bottom of FortiGate's Log Settings screen, there are two options under GUI Preferences called Resolve Hostnames and Resolve Unknown Applications. Enable these options to ensure hostnames and applications are logged with all traffic.

Resolving Hostnames and Unknown Applications in Fortinet FortiGate Log Settings

6. Enable Device Detection

Identifying the device type and operating system versions in play on your network can be critical especially as new vulnerabilities are discovered.

Are there any out of date Android devices connecting to your network? What percentage of devices connecting to your Guest network are iPads vs Windows machines?

To configure Fortinet FortiGate to identify and log the device type, go to Network | Interfaces and edit the Interface for your internal network(s). Scroll down to Networked Devices and enable Device Detection.

Enabling Device Detection in Fortinet FortiGate

You can view the devices in Fastvue Reporter for FortiGate in the IT Network and Security Report. Go to Reports | Overview Report | IT Network and Security. Select your date range and click Run Report, then scroll down to Network | Devices.

Reporting on Fortinet FortiGate Device Types and Operating Systems

7. Block QUIC

Google, owning many web properties as well as a popular web browser with Chrome (currently used by 68% of the population), decided to take web speed into their own hands and introduce a new protocol between their browser and their servers. This is called QUIC and works over UDP.

Although this is great for the web development community generally, it is not great for firewalls as it impacts on the accuracy of logging and reporting (see How Google’s QUIC Protocol Impacts Network Security and Reporting). This mainly affects Google web properties such as YouTube, Google Search and Gmail, but it has also been adopted by facebook.com and is growing in popularity. As of April 2020, 4.2% of all websites use QUIC (Source: Wikipedia).

Fortunately, if you block the QUIC protocol on your FortiGate, the communication between Chrome and the webserver will fall back to normal HTTPS and be properly inspected and logged. You can block QUIC using FortiGate's Application Control, or using a Firewall Policy to block UDP traffic on port 443. For more information, see Fortinet's article on How to Block QUIC with Fortinet FortiGate.

Summary

Fastvue Reporter for FortiGate can provide fantastic visibility into your organization's internet usage. But if the reports are showing you websites you didn't visit, or if sections of the reports are blank such as YouTube videos or Search Terms, then make sure you have addressed all the items above to give your Fortinet FortiGate the best chance of logging all the data Fastvue Reporter needs to accurately report on your organization's internet and network usage.

Have you discovered any other configuration options to improve the data being logged by Fortinet FortiGate? Let us know in the comments!

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)

This article describes how to enable dark mode in Fortinet FortiGate FortiOS 7.0.
Fortinet

Sophos XG - How to Block Searches and URLs with Specific Keywords

This article describes how to use Sophos XG to block searches that contain specific keywords.
Sophos