Chapter 13 Logging and Reporting : Advanced logging : Logging local-in policies
  
Logging local-in policies
Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.
You can enable logging of local-in policies from either the web-based manager or the CLI. In the web-based manager, you must first enable local-in policies in System > Settings > Features by enabling Local-In Policy and selecting Apply. The Local-In Policy page will then be available in Policy > Policy > Local-In Policy.
Use the following table when deciding what to log when local-in policy activity is occuring.
Table 83: Local-in Policy Options
Log options for Local-in policies
Description
Enable Logging for Denied Traffic
This records all implicit local deny or a local-in policy that has the action deny. For example, someone trying to log in to a port 80 that is not allowed by the local-in policy.
Enable Logging for Allowed Traffic
This records all administrator, system, user, and FortiGuard traffic.
Enable Logging for Local Out Traffic
This records all traffic leaving the FortiGate.
When deciding what local-in policy traffic you want logged, consider the following:
Table 84: Special Traffic
Traffic activity
Traffic Direction
Description
FortiGuard update annoucements
IN
All push announcements of updates that are coming from the FortiGuard system. For example, IPS or AV updates.
FortiGuard update requests
OUT
All updates that are checking for antivirus or IPS as well as other FortiGuard service updates.
Firewall authentication
IN
The authentication made using either the web-based manager or CLI.
Central management (a FortiGate unit being managed by a FortiManager unit)
IN
The access that a FortiManager has managing the FortiGate unit.
DNS
IN
All DNS traffic.
DHCP/DHCP Relay
IN
All DHCP and/or DHCP Relay traffic.
HA (heart beat sync policy)
IN/OUT
For high-end platforms with a backplane heart beat port.
HA (Session sync policy)
IN/OUT
This will get information from the CMDB and updated by session sync daemon.
CAPWAP
IN
This activity is logged only when a HAVE_CAPWAP is defined.
Radius
IN
This is recorded only within FortiCarrier.
NETBIOS forward
IN
Any interface that NETBIOS forward is enabled on.
RIP
IN
 
OSPF
IN
 
VRRP
IN
 
BFD
IN
 
IGMP
IN
This is recorded only when PIM is enabled.
PIM
IN
This is recorded only when PIM is enabled.
BGP
IN
This is recorded only when config bgp and bgp neightbor is enabled in the CLI.
WCCP policy
IN
Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.
WAN Opt/ Web Cache
IN
Any interface where WAN Opt is enabled.
WANOpt Tunnel
IN
This is recorded when HAVE_WANOPT is defined.
SSL-VPN
IN
Any interface from a zone where the action in the policy is SSL VPN.
IPSEC
IN
 
L2TP
IN
 
PPTP
IN
 
VPD
IN
This is recorded only when FortiClient is enabled.
Web cache db test facility
IN
This is recorded only when WA_CS_REMOTE_TEST is defined.
GDBserver
IN
This is recorded only when debug is enabled.