Detecting attacks using fortigate firewall logs with log samples

FortiGate firewalls are a popular security tool used by organizations to protect their networks from cyber threats. They provide a range of security features, including intrusion prevention, application control, and web filtering. Analyzing the logs generated by FortiGate firewalls can help security teams detect and respond to attacks in a timely manner. In this blog post, we will discuss how to detect attacks using FortiGate firewall logs with log samples and attack examples.

1. Port Scanning

Port scanning is a technique used by attackers to identify open ports on a network. They do this to discover potential vulnerabilities that they can exploit. FortiGate firewalls can detect port scanning by analyzing the traffic that passes through them. FortiGate firewalls log each traffic event in a file named trafficlog. FortiGate traffic logs record each session’s traffic flow, which includes the source and destination IP addresses, the source and destination port numbers, the protocol used, and the number of bytes sent and received. The following is an example of a FortiGate traffic log entry for port scanning:

codedate=2022-04-12 time=08:21:43 devname=FORTIGATE-12345 devid=FGT1234567890123 logid=1234567890 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.10 srcport=53236 srcintf="internal" dstip=192.168.2.20 dstport=3389 dstintf="dmz" sessionid=1234567890 proto=6 action=allowed policyid=4 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="RDP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Server/Workstation" osname="Windows" osversion="Microsoft Windows 10" mastersrcmac=00:11:22:33:44:55 srcmac=00:11:22:33:44:55 dstmac=00:11:22:33:44:55

In this example, the FortiGate firewall detected a port scan from IP address 192.168.1.10 to IP address 192.168.2.20 on port 3389.

2. Denial of Service (DoS) Attacks

DoS attacks are a type of attack that flood a network with traffic, causing it to become unavailable to legitimate users. FortiGate firewalls can detect DoS attacks by analyzing the traffic that passes through them. FortiGate firewalls log each traffic event in a file named trafficlog. The following is an example of a FortiGate traffic log entry for a DoS attack:

date=2022-04-12 time=08:30:10 devname=FORTIGATE-12345 devid=FGT1234567890123 logid=1234567890 type=attack subtype=ips level=notice vd=root srcip=192.168.1.20 dstip=192.168.2.30 attack="UDP flood" proto=17 service=0/0 duration=1 attackid=12005

In this example, the FortiGate firewall detected a DoS attack from IP address 192.168.1.20 to IP address 192.168.2.30 using the UDP flood technique.

3. Malware Infections

Malware infections are a significant threat to organizations as they can lead to data theft, financial losses, and reputational damage. FortiGate firewalls can detect malware infections by analyzing the traffic that passes through them. FortiGate firewalls log each traffic event in a file named trafficlog. The following is an example of a FortiGate traffic log entry for a malware infection:

codedate=2022-04-12 time=09:15:20 devname=FORTIGATE-12345 devid=FGT1234567890123 logid=1234567890 type=threat subtype=ips level=warning vd=root srcip=192.168.1.30 dstip=192.168.2.40 srcport=4578 dstport=80 protocol=6 action=deny threat-id=2147418112 attack-id=0 policyid=5 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Server/Workstation" osname="Windows" osversion="Microsoft Windows 10" mastersrcmac=00:11:22:33:44:55 srcmac=00:11:22:33:44:55 dstmac=00:11:22:33:44:55

In this example, the FortiGate firewall detected a malware infection from IP address 192.168.1.30 to IP address 192.168.2.40 on port 80 using the HTTP protocol.

4. Brute Force Attacks

Brute force attacks are a type of attack where the attacker tries to guess a user’s password by trying multiple combinations of characters. FortiGate firewalls can detect brute force attacks by analyzing the traffic that passes through them. FortiGate firewalls log each traffic event in a file named trafficlog. The following is an example of a FortiGate traffic log entry for a brute force attack:

date=2022-04-12 time=09:45:35 devname=FORTIGATE-12345 devid=FGT1234567890123 logid=1234567890 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.40 srcport=5678 srcintf="internal" dstip=192.168.2.50 dstport=22 dstintf="dmz" sessionid=1234567890 proto=6 action=allowed policyid=6 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SSH" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Server/Workstation" osname="Linux" osversion="Ubuntu Linux 20.04 LTS" mastersrcmac=00:11:22:33:44:55 srcmac=00:11:22:33:44:55 dstmac=00:11:22:33:44:55

In this example, the FortiGate firewall detected a brute force attack from IP address 192.168.1.40 to IP address 192.168.2.50 on port 22 using the SSH protocol.

Conclusion Analyzing FortiGate firewall logs can help security teams detect and respond to attacks in a timely manner. By using FortiGate firewall logs, security teams can identify various types of attacks, such as port scanning, DoS attacks, malware infections, and brute force attacks. It is essential to review FortiGate firewall logs regularly and create alerts for suspicious activity to improve the detection of attacks. By implementing these measures, organizations can enhance their security posture