hey guys welcome back this is Devin Adams for net instructor here in Tempe Arizona for dynamic worldwide training consultants and I do these videos well this series for myself anyways I'm studying from a Ana c4 and I'm having this lab environment and I'm just throwing everything in the kitchen sink to it it's completely impromptu I have my rubber duck here to talk to to kind of throw ideas out against and in the last video 40 doc here he was making unauthorized changes to the FortiGate so we went ahead and solved the setup and held that bind so we made the FortiGate and ldap clients LDAP server right and now we don't have to store accounts on the FortiGate for our admins and we created to your support so warrant for duck is out of luck I did not mean to rhyme that but that was cool anyways this video is gonna be simple alright and I should not upload these videos 40 duck I'm going on like two days of studying alright so um in this video it's gonna be simple we're just gonna review the logs on the FortiGate cuz you know what I want to make sure if 40 duck does something on the FortiGate I can make like a paper trail and that is also a good reason why always to use admin account separately don't share accounts it's that whole accountability level thing so let's go into our let's go into our local PC here alright and I still don't know why I didn't change those settings but that's okay I was trying to add lowered the performance on these things I must have to reboot it anyway so let's go to our forty gates and yeah let's go check out our logging so I'm actually gonna log in once as 40 duck alright so here he is 40 duck and he has he has rights to everything on the FortiGate except to make system changes to the box itself so what changes are we talking about those are gonna be things like accounts and cam account permissions directly on the FortiGate you can see him here if you expand the settings also guys any four to guard or anything that has to do with you know the hostname all those things are now out of 40 Ducks power so anyways so while he's messing around doing his thing as an admin here we want to make sure that there is logs being generated on what he is doing all right so I'm gonna go ahead now and this is actually a another trick that I learned you can use a different browser or you can just go into incognito mode and you can either log in as your admin credentials twice and be in two different places on the FortiGate at once so this won't pass along the session key but here we're gonna use the to login as a different ad min so we can take a look at the system settings so here we go cuz normally it would kick you off the second you logged in alright so Devon that's me I'm a super admin because I'm super cool like that all right there we go all right and now let's just make sure that our FortiGate slogging that's gonna be our first step here so what is it logging how logging is handling so we're gonna go to login reports and we actually have not done any logging yet with our traffic passing through the FortiGate okay that's that's something completely different here we're gonna go down to log settings alright as you can see here we're using a hard drive and that disk is available so we are logged into the hard drive this shows a graphical representation of everything that's been used and it looks like we really haven't been doing much of anything so I will not be looking at reports right now so I'm gonna turn that off alright and I do want a historical few on the 40 view so of the 40 view is there graphical representation of the logs that are up here it is amazing this will give us those little those little baseline lines anyways it's just nice okay if you don't have a hard drive though it will say memory all right and on the 40 gates that's not uncommon for your 40k not to have a hard drive now you do have some options here you can do remote logging and the forticloud is free and that will give you seven days you have to set it up first on the dashboard alright or you can send it to an off server like 40 analyzer for the manager they do the same thing completely different story there but for two managers Central Management with 40 analyzer capabilities for the analyzer is a beefier log aggregator itself and look at that the tried-and-true syslog server itself okay so but we do have a hard drive and it looks like we're not even using it so good times so let's keep scrolling down here now event logging is what I wanted to make sure was turned on and it looks like yeah it looks like we are collecting logs so that's good these are all the event logs that you can check for all right now the local traffic log has to do with traffic destined to the FortiGate itself usually not necessary unless they're troubleshooting so because what we're gonna be looking for is probably in here anyways all right and then down here is where you can resolve hostnames and also resolve applications if you're using the internet service database so that's a different story too but it's kind of like getting some level of visibility for what applications are being used by doing a reverse lookup so anyways alright so 40 dock should be should be you know should be recorded here so if we go down to system events oh yeah it's right there he is 40 duck yeah pretty cool right guys look at this someone changed configuration has changed in the admin settings see how that has a warning level let's pop open the details here alright so it does have a security level warning and that's because well there was a configuration change there was something here that required the running config to be committed so that's a pretty big deal alright looks like Bob logged in Bob logged out we have the 40 dock all right so it looks like we are thankfully getting some kind of access right some kind of uh accountability of what for doc is doing and we really wanted to make like a paper trail and see what he's doing we can right-click and do a quick filter for 40 doc and look at that just adds in all of his activities since he's logged in itself so and if you do have different places like the memory or the disk or the 40 analyzer or the 40 cloud just don't forget to click here too and the filters are pretty self-explanatory all right if the filter isn't Auto completing or you don't see what you want to see here just make sure that you add the column all right so great it looks like logs are working now for traffic logs that are actually passing through the 40 gates best practices says that you shouldn't really have to log everything so let's actually take a look at that real quick so if we go to our policy and objects and we go to IP for policy any forwarding logs will have to be defined on the firewall policy itself so let's drill down here alright so we have internet access okay we really haven't done any security profiles here but as you notice your log is turned on but it's only for security events so that's why we're not seeing any logs okay now if we do all sessions it will log every single session that is brought up and terminated okay if you do log every session that starts you're gonna get two logs guys that should rarely be used in my humbled opinion it's usually too much information alright too many logs can be just as bad as too few logs so what we're gonna do here is we need to have a goal obviously now I have never used the capture packets before I'm gonna have to look into that usually we do that on the network tab anyways but let's just say that we had something here like hey you know what we want to see what websites our users are going - sure that's that's something that has to do with logs so instead of turning on all sessions what we can do is do the log filter and there is a profile that just says monitor all now the deep inspection is usually required and it is for things like application control that's gonna have to be a way different video it's gonna take way too long all right but the the good thing is though is that we can just log where they're going to using the certificate inspection now certificate inspection is not deep inspection it's just a double check of the certs and they can use this to make some kind of accountability of what websites people are going to so should we try it out let's try it out so we'll hit okay and this way they won't get cert errors but then again we're not gonna get any deep inspection involved all right so let's try it out so let's go into our you know what I'm actually gonna make a new computer for this one all right so I am going to open up my devices because this way we can have it just running in the background now I really like this web term if you want a tiny Linux box that just has enough there to do what you call it to do like web traffic all right so this is gonna be one of our other admins or something so I'm gonna go over here to configure I'm gonna turn on DHCP cuz thankfully we have a DHCP server going on all right there we go and of course my resolutions too low all right I'm just taking it off the screen real quick to hit save all right there we go and then apply and hit ok and I personally like to change the icon because it makes my lab look cooler so this guy's gonna have like an old I don't know I gonna hold see our t machine or something and we'll just call him a PC - or something like that all right there we go he's gonna generate some some traffic for us we'll plug them into our switch we'll turn that bad boy on and we'll see if we can't see what websites he's goin - all right here we go I love how fast these things pose to and I'm running all of this off of a laptop guys so I'm impressed what KVM can do alright so here we go so let's go to make Internet noise calm hey by the way did you guys see how I just instantly got an IP address what okay make some noise or make some noise are we getting cert errors are we getting certain errors I'm not seeing any certain errors no and that's because it's using certificate based inspection to see where people are going all right we don't get any deep inspection but at least it's it's good enough for that so I'm gonna leave that running in the background and in the meantime let's go back to our FortiGate let's see here alright and if we go to our log files now so let's go to log and report and let's go to our forwarding log traffic and we should now see yeah exactly forwarding logs and guys can we see where they're going - you better believe it yeah exactly and look at this see little penguin yeah yeah so that's device identification happening and also right here is the reverse database that you can do for application names so real quickly what that is I should just I should just reiterate that the FortiGate does offer a database a part of the for to guard services so if we go to policy and objects and if you go to internet service database this is a collection the most popular public popular public IP addresses of applications and their transfer protocol and their protocols and all their individual IP addresses so it's a huge database of like everything going out to Amazon or everything going out to Google it's it's actually quite amazing guys and that's always growing in fact because I just dropped the license not that long ago it probably is still updating itself and you can confirm that by the system go to the for two guard services and you can check the version numbers here and they will take a while for everything to kind of come up to up to par here so and then you can force it obviously by hitting this button right here to update all the databases all right now the web filtering and everything like that that's actually done by a live query and that will be a different topic someday so but yeah eventually you know if you hover over it you can see when the last time they're updated and it should probably take a while before everything is 100% up to date but it will so so there you go at least we got some logging going on and yeah so and also by the way because we're just logging security events that's also why you weren't seeing a whole bunch of my new in there also you weren't seeing like huge DNS requests you weren't seeing anything like you know ICMP traffic or whatever okay now if you go to your web filtering let's see here there we go this is where you can filter out that traffic just for its action its category see how the category is coming up on where they're going to all right and that's all part of the forty guard web license and yes the log view is nice you can click it you can hit details so you can drill down I love the 40 view guys if you go to 40 view there is different graphical representations of these things so for example websites yeah there you go you can see the domains you can see the categories heck if we had if we had deep inspection turned on we could also see the search phases all right so I don't know why categories conked out there I see this is what our this is what our historical view can do we can also do it over time we can find out what normal looks like there's even bubbles there we go to graphically represent the stuff so it's pretty darn cool you can also save this to a widget if you wanted to create a dashboard you can also get this thing to auto update itself every so often so a lot of good stuff there guys so okay I'm gonna keep that short and yeah me and rubber duck will try to mean 40 duck will try to figure out something else to do but I just wanted to do a real quick review on on logging so just don't forget that you have to turn it on on the log settings for system events and also forwarding traffic logging is defined on the firewall policy and it's best practice to make a security event set to monitor all instead of monitoring all sessions being created because it's usually too much data so alright guys until next time