Explore and Analyze FortiGate Events
After Logpoint ingests FortiGate logs:
Use Search to access and examine events.
View events in real time through Dashboards.
Generate Reports for compliance and trend analysis.
Configure Alerts to get notified of critical or suspicious activity.
Search
Use the following queries to explore common FortiGate events:
All FortiGate logs
col_type IN ["fortigate", "fortinet"] OR norm_id = "Forti*"
Traffic allow events
norm_id = "Forti*" event_category = "traffic" action = "allow"
Traffic deny events
norm_id = "Forti*" event_category = "traffic" action = "deny"
Attack detections
norm_id = "Forti*" attack = *
IPS events
norm_id = "Forti*" event_category = "utm" sub_category = "ips"
Virus detections
norm_id = "Forti*" event_category = "utm" sub_category = "virus"
Antivirus botnet warnings
norm_id = "Forti*" event_category IN ["av", "antivirus"] sub_category = "botnet"
URL filtering blocks
norm_id = "Forti*" sub_category = "webfilter" action IN ["blocked", "deny"]
VPN tunnel events
norm_id = "Forti*" event_category = "event" sub_category = "vpn"
SSL VPN login failures
norm_id = "Forti*" event_category = "event" sub_category = "vpn" message_id = "39426"
Admin login events
norm_id = "Forti*" event_category = "event" sub_category = "system" message_id IN ["32001", "32002"]
Configuration changes
norm_id = "Forti*" message_id IN ["32102", "32104", "44544", "44545", "44546"]
Data leak protection
norm_id = "Forti*" event_category = "utm" sub_category = "dlp"
DNS query events
norm_id = "Forti*" log_id = "054000"
Anomaly detection
norm_id = "Forti*" event_category = "anomaly"
Critical system events
norm_id = "Forti*" log_level = "critical"
FortiMail rejected emails
norm_id = "Forti*" action = "Reject"
High bandwidth usage
`norm_id = "Forti*" event_category = "traffic"
Dashboards
LP_FortiGate: General Dashboard
The LP_FortiGate: General dashboard provides a comprehensive overview of FortiGate activity across your environment, showing patterns in application usage, geographic traffic distribution, service utilization, and configuration changes. It helps you monitor overall security posture, track severity trends, identify top applications and services, and investigate configuration modifications.
Dashboard Widgets:
Top 10 Applications Usages
The top 10 mainly used applications by users.
Top 10 Destination Ports
The top 10 destination ports detected.
Top 10 Destination Locations
The top 10 destination locations detected.
Top 10 Source Locations
The top 10 source locations detected.
Top 10 Source Addresses
The top 10 source addresses detected.
Top 10 Destination Addresses
The top 10 destination addresses detected.
Top 10 Source Ports
The top 10 source ports detected.
Top Severity by Timetrend
A time trend of severity.
Top 10 Services Usages
The top 10 used services.
Top 10 Sub Categories
The top 10 sub-categories.
Top Actions over Applications
The top actions.
Top 10 Source Location by Sessions
The top 10 source countries by sessions.
Top 10 Destination Locations by Sessions
The top 10 destination countries by sessions.
Configuration Changes - Details
Configuration changes by user, device name, user interface, and configuration path. The widget requires events with the message IDs 32569, 32693, 32694, 32695, 32696, 32697, 32699, 44544, 44545, 44546, 44549, 44550, 44551, 44552, and 044547.
Events Descriptions
The FortiGate events.
LP_FortiGate: System Overview Dashboard
The LP_FortiGate: System Overview dashboard provides high-level insights into system health and event distribution across your FortiGate environment. It helps you monitor severity trends, understand event type distribution, track traffic patterns, and identify sub-category breakdowns for quick threat assessment.
Dashboard Widgets:
Time trend of severity
A time trend of severity where the values of severity are: 0 (Emergency), 1 (Alert), 2 (Critical), 3 (Error), 4 (Warning), 5 (Notifications), 6 (Informational), and 7 (Debugging).
Top 10 Sub-Categories
The top 10 sub-categories. For example, the sub-category of abc.com is Business.
Traffic Over Time
An overview of the network traffics received per hour.
Time Trend of Event Type
A time trend of FortiGate event categories.
LP_FortiGate: Traffic Dashboard
The LP_FortiGate: Traffic dashboard provides real-time insights into network traffic patterns, bandwidth consumption, and connection status across your environment. It helps you monitor bandwidth usage by geography and application, identify high-traffic sources and destinations, track forward traffic trends, and investigate denied connections.
Dashboard Widgets:
Bandwidth Usage for Past 24 Hours
The amount of data transmitted (in MB) over the network in the past 24 hours.
Bandwidth Usage by Source Locations
The amount of data transmitted (in MB) over the network by source locations.
Bandwidth Usage by Destination Locations
The amount of data transmitted (in MB) over the network by destination locations.
Top 10 Source Addresses by Bandwidth Usage
The top 10 source addresses based on the amount of data (in MB) transmitted over the network.
Top 10 Destination Addresses by Bandwidth Usage
The top 10 destination addresses based on the amount of data (in MB) transmitted over the network.
Top 10 Applications by Bandwidth Usage
The top 10 applications based on the amount of data (in MB) transmitted over the network.
Bandwidth Used by Source Interfaces
The amount of data (in MB) received from the source interface.
Bandwidth Usage by Destination Interface
The amount of data (in MB) transmitted to the destination interface.
Forward Traffic Over Time
The network packets forwarded per hour.
Top 10 Source Address with High Outbound Traffic
The top 10 source addresses with high outbound network traffic detected by FortiGate.
Top 10 Destination Address with High Outbound Traffic
The top 10 destination addresses with high outbound traffic detected by FortiGate.
Top 10 Source Address in Denied Connection
The top 10 source addresses whose connections were denied.
Denied Connection Details
The denied connections by FortiGate.
Top 10 Destination Address in Denied Connection
The top 10 destination addresses whose connections were denied.
LP_FortiGate: Web Dashboard
The LP_FortiGate: Web dashboard provides real-time insights into web traffic and filtering activities across your environment, showing patterns in web requests, blocked content, and bandwidth usage by hosts. It helps you monitor web browsing behavior, track blocked requests, analyze host bandwidth consumption, and categorize web applications.
Dashboard Widgets:
Web Request Details - List
The web requests detected.
Web Request Details - Timechart for Past Hour
A time chart of web requests detected in every 1 hour.
Action on Hosts - List
Actions performed on host, such as adding a new host.
Bandwidth Received or Sent by Host Details
The amount of data transmitted (in MB) or received (in MB) over the network.
Web Request Blocked Details - List
The web requests blocked.
Top 10 Web Application Sub-Categories
The top 10 web applications sub-categories, such as business or entertainment.
LP_FortiGate: Attack Dashboard
The LP_FortiGate: Attack dashboard provides real-time insights into detected attacks and intrusion attempts across your environment, showing patterns in attack types, geographic distribution, and criticality levels. It helps you identify attack sources and destinations, monitor attack trends, assess threat severity, and track attacks by port and direction.
Dashboard Widgets:
Attacks - List
Attacks detected.
Distinct Count of Attacks by Critical Level
Number of attacks based on their criticality.
Distinct Count of Incoming or Outgoing Attacks
Number of incoming and outgoing attacks.
Top Distinct Attacks by Source Locations
Attacks detected based on the source location.
Top Distinct Attacks by Destination Locations
Attacks detected based on the destination location.
Attack - Details
Attacks based on the log severity, attack ID, direction, action, source country and destination country.
Top Distinct Attacks on Source Ports
Attacks detected in the source port.
Top Distinct Attacks on Destination Ports
Attacks detected in the destination port.
LP_FortiGate: Web - Extended Dashboard
The LP_FortiGate: Web - Extended dashboard provides comprehensive real-time insights into web traffic and filtering activities with extended time ranges. It helps you monitor web browsing patterns over longer periods, track blocked requests, analyze host bandwidth consumption, and categorize web applications for trend analysis.
Dashboard Widgets:
Web Request Details - List
The web requests detected.
Web Request Details - Timechart
A time chart of web requests detected.
Action on Hosts - List
Actions performed on host, such as adding a new host.
Bandwidth Received or Sent by Host Details
The amount of data transmitted (in MB) or received (in MB) over the network.
Web Request Blocked Details - List
The web requests blocked by FortiGate.
Top 10 Web Application Sub-Categories
The top 10 web applications sub-categories, such as business or entertainment.
LP_FortiMail Dashboard
The LP_FortiMail dashboard provides real-time insights into email security events across your environment, showing patterns in spam detection, virus infections, encrypted emails, and rejected messages. It helps you monitor email traffic flows, identify targeted users, track virus-infected and spam emails, and investigate system activities and configurations.
Dashboard Widgets:
Rejected Email List
Rejected emails with reason.
Top 10 Sender - Inbound
The top 10 email sent to the recipients.
Top 10 Email Receiver - Inbound
The top 10 recipients who received the highest number of emails.
Top 10 Sender - Outbound
The top 10 email senders.
Top 10 Spam Email Sender
The top 10 senders who forwarded email spams.
Top 10 Encrypted Email Sender
The top 10 senders who forwarded encrypted emails.
Virus Infected Email
The virus-infected emails.
System Activity Monitor
The system activities events.
System Admin Monitor
The system admin events.
System Config Monitor
The system configuration events.
System HA Monitor
The System Monitor - Home Assistant (HA) events.
System Update Events
The system update events.
WebMail Events
The webmail events.
Incoming Email - Timetrend
The count of incoming emails received in the last 24 hours.
Outgoing Email - Timetrend
The count of outgoing emails sent in the last 24 hours.
Virus Infection Email - Timetrend
The virus-infected emails received in the 24 hours.
Spam Email - Timetrend
The spam emails received in the last 24 hours.
Top Email Sending Domain
The top 10 domains sending emails.
Users Most Targeted
The users targeted by spam emails and virus-infected emails.
Adding FortiGate Dashboards
Navigate to Settings >> Knowledge Base >> Dashboards.
Select VENDOR DASHBOARD from the dropdown.
Click the Use icon under Actions of the required dashboard.
Click Choose Repos.
Select the repository configured for FortiGate logs and click Done.
In Ask Repos, select the dashboard and click Ok.
The dashboard will appear under Dashboards. You can view details about each widget by clicking the Info icon.
Reports
FortiGate includes report packages that provide time-bound summaries and trend analyses of security events, traffic patterns, and threat activity.
Available Report Packages
LP_Fortigate: Comprehensive FortiGate security and traffic reports
LP_Fortigate - Extended: Extended FortiGate reports with additional metrics and longer time ranges
Generating FortiGate Reports
Access Report Templates
Go to Reports >> Reports Templates.
Select VENDOR REPORT TEMPLATES from the dropdown.
Click the action icon for FortiGate.
Run Report
Click the Run This Report icon.
Configure report parameters:
Repos: Select FortiGate log repos.
Time Zone: Set appropriate timezone.
Time Range: Define the analysis period.
Export Type: Choose PDF or HTML format.
Email: Specify recipients.
Access Generated Reports
View report generation status under Report Jobs.
Download completed reports from Inbox in PDF or HTML format.
Alerts
Admin and System Alerts
LP_FortiGate Admin Login Disable
Triggered when the administrator login is disabled in the system. ATT&CK Category: Impact, Credential Access, Persistence ATT&CK Tag: Account Access Removal, Account Manipulation ATT&CK ID: T1531, T1098
norm_id=Forti* event_category=event sub_category=system message_id=32021 user=*
LP_FortiGate Critical Events
Triggered when critical events in the system are detected. ATT&CK Category: Discovery ATT&CK Tag: Network Service Scanning ATT&CK ID: T1046
norm_id=Forti* event_category=event sub_category=system log_level=critical
Threat Detection Alerts
LP_FortiGate Anomaly
Triggered when an anomaly in the system is detected. ATT&CK Category: Discovery ATT&CK Tag: Network Service Scanning ATT&CK ID: T1046
norm_id=Forti* event_category=anomaly sub_category=anomaly log_level=alert attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
LP_FortiGate Attack
Triggered when an attack in the system is detected. ATT&CK Category: Impact ATT&CK Tag: Network Denial of Service ATT&CK ID: T1498
norm_id=Forti* attack=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
LP_FortiGate Malicious URL Attack
Triggered when a malicious attack in a system is detected. This alert rule is valid only for FortiOS V6.0.4. ATT&CK Category: Initial Access ATT&CK Tag: Phishing, Spearphishing Link ATT&CK ID: T1566, T1566.002
norm_id=Forti* event_category=ips sub_category="malicious-url" message_id=16399 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
LP_FortiGate TCP-UDP Anomaly
Triggered when TCP or UDP anomaly in the system is detected.
norm_id=Forti* event_category=anomaly sub_category=anomaly message_id=18432 | process geoip(source_address) as source_location | process geoip(destination_address) as destination_location
Antivirus and Malware Alerts
LP_FortiGate Antivirus Botnet Warning
Triggered when a botnet warning from antivirus is detected. ATT&CK Category: Command and Control, Impact ATT&CK Tag: Proxy, Network Denial of Service ATT&CK ID: T1090, T1498
norm_id=Forti* (event_category=av OR event_category=antivirus) sub_category=botnet message_id=9248 | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
LP_FortiGate Antivirus Scan Engine Load Failed
Triggered when Antivirus Scan Engine Load Failure is detected. ATT&CK Category: Defense Evasion ATT&CK Tag: Impair Defenses, Impair Defenses, Disable or Modify Tools ATT&CK ID: T1562, T1562.001
norm_id=Forti* event_category=av sub_category=scanerror message_id=8974 | process geoip(source_address) as source_location | process geoip(destination_address) as destination_location
LP_FortiGate Virus
Triggered when a virus attack is detected. ATT&CK Category: Discovery, Defense Evasion ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion ATT&CK ID: T1046, T1211
norm_id=Forti* event_category=utm sub_category=virus | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
IPS and Security Alerts
LP_FortiGate IPS Events
Triggered when an intrusion attempt is detected in the system. ATT&CK Category: Discovery, Defense Evasion ATT&CK Tag: Network Service Scanning, Exploitation for Defense Evasion ATT&CK ID: T1046, T1211
norm_id=Forti* event_category=utm sub_category=ips user=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
LP_FortiGate Data Leak Protection
Triggered when an attempt to data leak is detected. ATT&CK Category: Exfiltration ATT&CK Tag: Automated Exfiltration ATT&CK ID: T1020
norm_id=Forti* event_category=utm sub_category=dlp file=* | process geoip(source_address) as source_country | process geoip(destination_address) as destination_country
VPN Alerts
LP_FortiGate VPN SSL User Login Failed
Triggered when a VPN SSL login failure is detected. ATT&CK Category: Initial Access, Credential Access ATT&CK Tag: Valid Accounts, Brute Force ATT&CK ID: T1078, T1110
norm_id=Forti* event_category=event sub_category=vpn message_id=39426 user=*
FortiMail Alerts
LP_Dynamic List FORTIMAIL_SESSION Update
Triggered to update the dynamic list FORTIMAIL_SESSION every time a FortiMail unit rejected email message is detected.
norm_id=Forti* session_id=* action="Reject" | process toList(FORTIMAIL_SESSION, session_id)
Adding FortiGate Alerts
Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.
Select Vendor Rules from the dropdown.
Click the Use icon under Actions of the desired FortiGate alert.
After adding the alert rules, FortiGate redirects you to the Used Alert Rules page. When a FortiGate alert is triggered, Logpoint generates an incident in the Incidents page.
Last updated
Was this helpful?